Add a HIPPA / BAA policy to Asana

As a healthcare provider, I would love to be able to use Asana to keep track of tasks, including what contacts need to be made with patients, which patient records need updates, etc. I understand that the Box integration is HIPPA compliant, but I don’t need to upload files, I just need to be able to add patient names to tasks. Typically for these sorts of uses, the company would need to sign a HIPPA Business Associates Agreement. Will Asana do this?

1 Like

Hi @Lauren7

Asana is not specific to the medical field and as such we do not have clearly identifiable HIPAA compliance standards, but we keep any data entered into Asana secure. Your data is not encrypted on the servers (for performance reasons), but we do encrypt over the wire via SSL. Security is something we take very seriously. Please take a look at this information:

One workaround we can offer is the use of our integration with Box, which is HIPAA compliant. The link to our Box integration below:

Let me know if you have any further questions or concerns.

Ok thanks! Sounds like it’s a no-go for healthcare professionals if we need to add any PHI to a task (HIPAA requires a BAA be signed, even with really great security). Maybe someday in the future you’ll consider a HIPAA/BAA policy-- that would be awesome!

18 Likes

Because I can’t find a convenient way to contact support I’m posting my question here.

Please get back to me ASAP

1 Like

No it is not Hippa compliant. Only the integrations with files in Box and Dropbox are

See Add a HIPPA / BAA policy to Asana - #2 for an official answer.

1 Like

While I understand that Asana offers the integrations as HIPPA compliant alternatives, how does Asana “enforce” or enable that to be the only way a user can add attachments? Can these fields be disabled once the integrations are utilized?

I know this was previously answered, but I wanted to revisit and confirm if Asana is able to meet HIPAA compliance and sign BAA’s?

It looks like competitors (Monday & Smartsheets) will do so, so I wasn’t sure if Asana’s position had changed.

We currently use Asana, and make sure no PHI gets added. I would greatly prefer to have the ability to add PHI to our projects though. This would typically be in the form of an attachment, but it could also be comments or task description.

4 Likes

I agree completely here. Asana is my favorite of all task/project management tools and I ahve used them all. It would be a shame not to use it now that I am needing to share questions regarding patients…etc. with others. It sounds to be that it is not a bit IT lift for them, they probably have all the security standards in place, they just dont want to bother looking into what it takes for them to state they are compliant and provide a BAA agreement like their competitors do.

2 Likes

If they don’t encrypt data at rest, then it would be a pretty big technical lift for them. It’s never as easy as it seems.

That being said, this is important enough that we may be moving off of the Asana platform because of it.

4 Likes

As a healthcare provider I’d also love it if Asana would consider adding a Business Associate Agreement so that healthcare providers can use to track client info safely. That BAA is pretty important when it comes to HIPAA-compliance. It looks like you offer a ton of security and encryption already but that piece is what makes it usable from a healthcare provider’s needs.

4 Likes

Please please please add this! We need it more than ever in the time of COVID.

4 Likes

The last thread on HIPAA compliance was a long time ago. When will Asana become capable of BAA execution and HIPAA compliance? We need to collaborate in the health care industry and manage tasks. You’re killing me.

Hi @Katy_T, welcome to the Asana Community Forum!

Because our product is not specific to the medical field, we do not have clearly identifiable HIPAA compliance standards. You can find more details in this post in the main feedback thread:

I’ve also gone ahead and merged your post with the main thread to consolidate feedback.

@Emily_Roman – just FYI, speaking as the CTO of a digital health startup, your product does not need to be specific to the medical field in order be HIPAA compliant.

The scenario in which you would need to be HIPAA compliant is when a Covered Entity (health plan, hospital system, doctor’s office, etc) or a Business Associate of that Covered Entity wants to use your platform and wants to put any Protected Health Information into it. In that case, the CE or BA must perform a risk assessment on Asana (your ISO 27001 or SOC 2 Type II might obviate that need) and must sign a Business Associate Agreement with Asana, which puts in place provisions that require Asana to treat PHI in specific ways (including accounting for disclosures, breach notifications, etc).

HIPAA compliance is certainly non-trivial – it requires technical and organizational changes – and so it would make sense for Asana to say “No, we’re not HIPAA-compliant because it’s too big an investment for us at this point.”. But saying “we’re not specifically medical so we don’t support HIPAA-compliance” is probably not the right way to address these comments. There are plenty of companies that are not specifically medical that do support HIPAA compliance, e.g. Google, Amazon, Box.com, Sisense, Twilio, etc etc.

Thanks for your attention on these comments. Maybe someday it will be worth it for Asana to become capable of HIPAA compliance – sounds like there are some doctors that would love to use it!

9 Likes

We too would love to see HIPAA compliance in Asana at Tidepool.org and I appreciate your comments @Alec_Zopf .

1 Like

I agree with those who have said that a BAA is necessary here. As a member of the Asanaverse, I would love to see Asana become HIPAA-compliant for the sole reason of making more of their integrations HIPAA-compliant. It would allow even more companies to use it and would grow adoption of existing, fantastic features. I can speak from experience that it’s incredibly frustrating to have to find workarounds for my own company because “non-medical” companies don’t understand that their product is used in healthcare settings.

1 Like

Ok Guys…Let’s look at this: You have thousands of people using Asana for free. Medial people would PAY BIGTIME for HIPAA compliance. So easy to implement that upgrade! I see many dentists, oral surgeons , doctors…and I mean a lot…coordinating all the office tasks with Asana. Yet we want to coordinate patient flow. Medial offices pay much more for things…asana would be a minor bill , but a major income stream for you guys. Also a major help to all of us frontline providers braving covid ! Help us out and make asana more profit…we want to pay you for it!

2 Likes

I agree completely here. I love Asana, but my org does special needs advocacy and that means we sometimes need to reference PHI or store PHI documents. We will have to move to Monday because they are HIPAA compliant. This is disappointing as Asana is so much more intuitive.

1 Like

Submitting my vote for HIPAA compliance! Please implement before we have to switch!

2 Likes