HIPAA configuration

Access Control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights

Notion’s SAML SSO is built upon the SAML 2.0 standard, connecting your Identity Provider (IdP) and workspace(s) for an easier, more secure login experience. Notion supports official configurations for SAML SSO with: Azure, Google, Gusto, Okta, OneLogin, and Rippling.
To get started using SAML SSO with Notion, you will need to complete the following steps:

• Verify domain(s): To use advanced security features, you must verify ownership of your email domain. This is an automated process that involves adding a TXT record onto your domain’s DNS to verify your ownership of it.

• Enable SAML SSO: This will toggle the feature on and complete the configuration. For more information on completing the SAML SSO configuration, please refer to our IdP-specific guides.

• Change default login method: Once SAML SSO is enabled for the first time, the default login method will be set to Any method, meaning that users have the option of logging in via SAML or their normal login method. By setting this to Only SAML SSO, this enforces SAML as the login method for your workspace for managed users with verified company emails.

• Link additional workspaces: If you have more than one workspace you’d like to configure with SSO, you can do so by reaching out to team@makenotion.com.

Once properly configured, any members signing into your workspace(s) will need to use the verified domain and will need to be authenticated through your identity provider. Enterprise workspace owners are able to bypass by using an alternative login method in case there’s an IdP/SAML SSO failure.

Unique User Identification

Assign a unique name and/or number for identifying and tracking user identity

Notion has a SCIM API which can be used to provision, manage, and de-provision members and groups. Workspace owners can find the required API key by going to Settings & members -> Security & identity -> SCIM Configuration and clicking to view the token.

Please see our SCIM documentation for the latest information on how you can interact with Notion’s SCIM API. Notion supports official SCIM applications with Google, Gusto, Okta, OneLogin, and Rippling.

Emergency Access Procedure

Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Content search provides Enterprise workspace owners with visibility into workspace content to improve governance of the workspace and resolve page access issues:

- View who has access to a page
- Modify the permissions of a page
- Discover and re-assign abandoned pages from former employees

You can export a Notion page, database, or entire workspace at any time.

Automatic Logoff

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity

Set custom session duration: For managed users on the Enterprise plan, Notion has a default session duration of 180 days. However, workspace owners can customize their session duration from 1 hour to 180 days.

Force logout managed users: Force logout for individual users or for all workspace users at once.

Force password reset: Force password reset for individual users or for all workspace users at once.

If you de-provision a user via SCIM, they will be removed from the workspace and their session will be terminated.

Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Enterprise workspace owners have access to an Audit Log (under Settings & members) which gives an overview of a large range of events that have occurred in the workspace.

This can be especially helpful for identifying potential security issues, investigating suspicious behavior, and troubleshooting access. The workspace audit log can be exported in CSV format.

Enterprise customers can also utilize our Data Loss Prevention (DLP) partner integrations to discover, classify, and protect sensitive data in Notion.

Integrity Controls

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of

Disable public page sharing: This will disable the Share to web option in the Share menu on every page in this workspace.

Disable guests: This prevents anyone from inviting people outside the workspace to any page. You don’t need to use this control if you’d like to invite guests as needed, but note that Notion may not be used to communicate with patients, plan members, or their families and employers. If you need to enable guests, we recommend turning on guest requests. This implements an approval process so that you can have guests in your workspace while ensuring HIPAA compliance.

Disable moving or duplicating pages to other workspaces: This prevents anyone from moving or duplicating pages to other workspaces via the Move To or Duplicate action.

Disable export: This prevents anyone from exporting as Markdown, CSV, or PDF.

Disable workspace creation: This prevents anyone from creating new workspace(s) without approval.

Disable or allowlist third party extensions: This prevents anyone from adding non-approved 3rd party extensions to your Notion workspace.

Disable external workspace access: This prevents managed users from joining or accessing external workspace outside of your organization.

Person or Entity Authentication

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Disable profile changes: This prevents managed users from changing their own profile information to avoid impersonations.

Domain management: Domain refers to the email address domain associated with a Notion account. Domain verification allows workspace owners to claim ownership over a domain, which will unlock domain management settings.

Disable guests: This prevents anyone from inviting people outside the workspace to any page. You don’t need to use this control if you’d like to invite guests as needed, but note that Notion may not be used to communicate with patients, plan members, or their families and employers. If you need to enable guests, we recommend turning on guest requests. This implements an approval process so that you can have guests in your workspace while ensuring HIPAA compliance.

Suspend & delete a managed user account: Suspend or delete managed user accounts from the user management dashboard.

Disable managed user account deletion: Prevent managed users from deleting their accounts on their own

Data Retention & Disposal

Implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored

There isn't a way to empty your trash all at once. You can go into the trash to delete pages permanently individually. After you delete the page from the Trash, it will be deleted from Notion’s servers after 30 days.

We keep backups of our database, which allows us to restore a snapshot of your content in the past 30 days if you need it.

Transmission Security

Implement technical security measures to guard against unauthorized
access to electronic protected health information that is being transmitted over an electronic communications network.

Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Encryption at rest: Customer data is encrypted at rest using AES-256. Customer data is encrypted when on Notion’s internal networks, at rest in Cloud storage, database tables, and backups.

Encryption in transit: Data sent in-transit is encrypted using TLS 1.2 or greater.