HIPAA & BAA ยท Project management
Is Asana HIPAA compliant?
Conditionally. Asana supports HIPAA for eligible Enterprise customers who accept Asana's BAA in the Admin Console and enable HIPAA Compliance; lower tiers are not covered.
Key facts
- BAA available: Conditionally โ on specific plans
- What it takes: Eligible Enterprise tier (Enterprise+), with the BAA accepted and HIPAA Compliance activated in the Admin Console
- Official source: Asana Help: HIPAA compliance & data security โ https://help.asana.com/s/article/hipaa-compliance?language=en_US (verified 2026-06)
How to use Asana in a HIPAA-compliant way
- Confirm you are on an eligible Enterprise tier (legacy Enterprise customers must move to Enterprise+ to enable HIPAA).
- In the Admin Console, go to Security, then HIPAA compliance, and review the BAA plus Use Requirements and Limitations.
- Have a super admin agree to Asana's BAA in the Admin Console.
- Allow up to 24 hours for HIPAA compliance to activate across the domain.
- Review and re-approve integrations/PATs, which are disabled by default under HIPAA mode.
Important caveats
- PHI may only be placed in supported locations (task titles/descriptions, custom fields, comments, attachments).
- All integrations and Personal Access Tokens are disabled by default and require super-admin approval.
- Only eligible Enterprise/Enterprise+ tiers qualify; non-Enterprise plans cannot enable HIPAA.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Asana correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Asana.
Frequently asked questions
Does Asana sign a BAA?
On specific plans. Eligible Enterprise tier (Enterprise+), with the BAA accepted and HIPAA Compliance activated in the Admin Console A signed BAA is required before any PHI is involved.
Is Asana HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Asana offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Asana with PHI?
PHI may only be placed in supported locations (task titles/descriptions, custom fields, comments, attachments).
