HIPAA Compliance

Available on the Asana Enterprise+ tier, as well as legacy tier Legacy Enterprise for existing customers who have already enabled the feature.

Visit our pricing page for more information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Businesses that are subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) can use Asana to support HIPAA-compliant work management.

HIPAA compliance for Asana is governed by Asana’s Business Associate Addendum (BAA). For additional detail on HIPAA and Asana, please refer to the HIPAA Data Sheet.

Enabling HIPAA

Upon purchasing the HIPAA compliance option for Asana, the following steps will facilitate agreement to Asana’s Business Associate Addendum (BAA) and enable HIPAA compliance in your domain. Please note that a Super Admin must agree to Asana’s BAA in the Admin Console to activate HIPAA compliance.

Existing Legacy Enterprise customers who have not enabled HIPAA compliance will need to move to the Asana Enterprise+ tier if they wish to enable it.


From the Admin Console, navigate to the Security tab.


Navigate to HIPAA compliance and review the BAA + Use Requirements and Limitations.


24 HRS

Upon agreeing to the terms, please allow 24 hours for HIPAA compliance to activate across your domain..

Maintaining HIPAA Compliance

Please review Asana’s Data Sheet for guidance on maintaining HIPAA compliance in your domain.

What changes can I expect once HIPAA compliance has been activated for my organization?

Activating HIPAA compliance in an Asana domain has broad implications on the product behavior. This includes behavior around Asana AI features, notifications, mobile, and login experiences. For more detail on HIPAA-related changes, please review Asana's HIPAA Data Sheet and Business Associate Addendum (BAA).

PHI (Personal Health Information) should only be entered into project or task descriptions, task titles, custom fields on tasks, comments, and attachments on tasks. See the HIPAA Use Requirements and Limitations for more information.

HIPAA Compliance FAQ

Will integrations still be available?

All integrations and Personal Access Tokens (PATs) within a domain will be disabled by default. Previously enabled apps will remain enabled and a super admin must use our App Management feature to review existing integrations use. New applications will require an Asana super admin’s approval in order to be enabled. If an integration is disabled, this applies to all users in the domain.

Will goals still be visible?

Goals will remain unchanged but should not include PHI. PHI should be limited to project or task descriptions, task titles, custom fields on tasks, comments, and attachments on tasks. See our HIPAA Use Requirements and Limitations for more information.

Will reporting still be available across my organization?

There will be no change to reporting. You’ll still have access to the same tasks, projects and portfolios as before HIPAA compliance was activated.

Was this article helpful?

Thanks for your feedback