How to Make Notion HIPAA Compliant (w/Examples) + FAQs

Yes, you can make Notion HIPAA compliant, but only if you are on the Notion Enterprise plan and sign a Business Associate Agreement (BAA) directly with Notion Labs, Inc. Every other Notion tier (Free, Plus, Business) falls outside the scope of a signed BAA, which means any Protected Health Information (PHI) stored, transmitted, or processed inside those tiers creates immediate exposure under the HIPAA Privacy Rule and Security Rule.

The problem this article addresses is simple and painful. Thousands of clinicians, digital health startups, billing teams, and compliance officers already use Notion for SOPs, intake workflows, and client notes without realizing that 45 CFR 164.308 and 45 CFR 164.502(e) make it a federal violation to share PHI with a vendor that has not signed a BAA. The immediate consequence is personal liability, civil monetary penalties under the 2025 Annual Civil Monetary Penalty adjustments, and in willful cases, criminal referral under 42 USC 1320d-6.

A 2024 Ponemon Institute healthcare breach report pegged the average cost of a healthcare data breach at $9.77 million, the highest of any industry for the 13th year running, with misconfigured SaaS tools sitting among the top three root causes.

Here is what you will learn in this guide.

• 🔐 How to structure Notion Enterprise so it satisfies the Security Rule’s administrative, physical, and technical safeguards
• 📝 The exact workflow to request, execute, and archive a signed BAA with Notion Labs
• ⚕️ Real examples from therapists, telehealth startups, and billing teams who have done this correctly
• ⚠️ The seven most common mistakes that quietly turn Notion into a HIPAA time bomb
• 📚 State-law nuances (CMIA, Texas HB 300, NY SHIELD) that go beyond federal HIPAA

What HIPAA Compliance Really Means for a SaaS Tool Like Notion

HIPAA is not a certification you buy. It is a federal framework built from four interlocking rules: the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule. Each rule assigns a different duty to covered entities and their business associates, and each carries its own consequence when ignored.

The Privacy Rule governs who may use or disclose PHI and for what purpose. The Security Rule governs how electronic PHI (ePHI) is protected through administrative, physical, and technical safeguards. The Breach Notification Rule kicks in the moment unsecured PHI is accessed, acquired, used, or disclosed in a way not permitted by the Privacy Rule, triggering 60-day notice duties under 45 CFR 164.404.

A SaaS vendor becomes a business associate the moment it creates, receives, maintains, or transmits PHI on behalf of a covered entity, as defined in 45 CFR 160.103. Once that happens, the vendor and the covered entity must execute a BAA under 45 CFR 164.504(e), which locks the vendor into specific use limits, safeguard duties, subcontractor flow-down terms, and breach reporting timelines.

Why the Notion Plan You Pick Matters

Notion offers four plans: Free, Plus, Business, and Enterprise. Per the Notion Trust Center and Notion’s BAA policy page, only Enterprise customers can execute a BAA with Notion Labs. The plain-English reason is that Enterprise ships with SAML SSO, SCIM provisioning, audit logs, domain management, and the granular permissions the Security Rule demands.

The consequence of storing PHI on Plus or Business is severe. You have no BAA, so Notion is not legally permitted to handle your PHI, and you are the one in violation the moment you paste a client chart into a page. A real example: in 2023, OCR fined a small mental health group for using a collaboration tool without a BAA, which is the exact posture a Notion Plus user creates.

A common misconception is that “private” pages on Notion are safe because nobody else sees them. Privacy settings do not substitute for a BAA. The Security Rule cares about contractual and technical safeguards at the vendor layer, not whether a page is shared internally.

The 2024 Security Rule NPRM and What Changed

In December 2024, HHS issued a Notice of Proposed Rulemaking that tightens the Security Rule for the first time in two decades. The proposal removes the “addressable vs. required” distinction and turns nearly every safeguard into a mandatory control.

Multi-factor authentication, encryption at rest and in transit, annual risk assessments, and written contingency plans are now explicit baseline duties. The consequence of ignoring the NPRM, once finalized, is automatic noncompliance even if your BAA is signed. A quick example: if Notion Enterprise is configured without SSO/MFA for every workforce member with PHI access, you will fail a post-NPRM audit even with a valid BAA.

A common misconception is that the NPRM is “just proposed” and therefore optional. OCR has signaled it will treat the direction of the NPRM as the standard of care during 2026 enforcement, so waiting is a risk.

Step-by-Step: How to Make Notion HIPAA Compliant

Making Notion HIPAA compliant is a ten-step process that blends contract work, technical configuration, and workforce training. Skipping any step leaves a hole the Office for Civil Rights can walk through during an audit. The steps below assume you are a covered entity or business associate under 45 CFR 160.103.

Step 1: Upgrade to Notion Enterprise

Log in as a workspace owner and move your plan to Enterprise through the Notion pricing page. Enterprise is sales-assisted, so expect a short procurement call, a signed Master Subscription Agreement, and a separate BAA addendum.

The consequence of staying on a lower tier is that Notion will decline to sign a BAA, and any PHI in your workspace becomes a direct HIPAA violation. A real example: a solo psychiatrist in Ohio wanted to save on Plus pricing and asked Notion for a BAA anyway. Notion’s legal team declined, because the lower tiers lack the audit log and SCIM features the Security Rule requires for 45 CFR 164.312(b) audit controls.

A common misconception is that Enterprise is only for 100-seat companies. Notion Enterprise is available to any size buyer who needs the security posture, including solo practitioners.

Step 2: Execute a Signed BAA With Notion Labs

Once Enterprise is live, open a ticket through your Customer Success Manager and request the current Notion BAA template. Review the scope of services, the permitted uses, the subcontractor list, and the breach notification window, which Notion sets at no later than 60 days after discovery, aligning with 45 CFR 164.410.

The consequence of operating without a signed BAA is that you carry strict liability for every byte of PHI that touches Notion. A real example: in the Anthem settlement, OCR emphasized that missing or weak business associate contracts were a central failure, and the settlement reached $16 million.

A common misconception is that email confirmation from a sales rep is “good enough.” Only a fully executed, countersigned BAA satisfies 45 CFR 164.504(e).

Step 3: Turn On SAML SSO and Enforce MFA

Configure SAML SSO through your identity provider, such as Okta or Microsoft Entra ID, and set a conditional access policy that requires MFA for every sign-in. The Security Rule’s access control standard treats unique user identification and emergency access as mandatory.

The consequence of skipping MFA is that a single phished password gives an attacker full PHI access, and the 2024 NPRM treats MFA as an explicit floor. A real example: a telehealth startup in Boston had SSO but not MFA, lost a credential through a SIM swap attack, and had to issue a breach notice to 1,200 patients.

A common misconception is that “Google sign-in” counts as SSO. It does not satisfy enterprise-grade controls unless it is enforced through a managed directory with conditional access.

Step 4: Provision Users With SCIM and Enforce Least Privilege

Enable SCIM provisioning so that user creation, role changes, and terminations flow automatically from your IdP into Notion. Map Notion groups to clinical roles and apply the minimum necessary standard from 45 CFR 164.502(b).

The consequence of manual provisioning is orphaned accounts that keep PHI access after termination. A real example: Maria Gomez, an office manager at a Phoenix clinic, forgot to remove a departing intern from Notion; the intern accessed the client database for three weeks, triggering a breach report.

A common misconception is that “deactivating” a Notion user is enough. You must also revoke IdP access, rotate shared API tokens, and audit the user’s page history.

Step 5: Segment Workspaces So PHI Lives in Controlled Spaces

Create a dedicated teamspace for PHI, mark it private, and restrict membership to credentialed clinicians or staff whose job functions require access. Use Notion teamspaces with default permissions set to private, not open or closed.

The consequence of mixing PHI with marketing or engineering teamspaces is scope creep that breaks the minimum-necessary rule. A real example: a digital health startup mixed PHI session notes with its engineering wiki, and a new hire in DevOps accidentally viewed 400 client profiles.

A common misconception is that “guests” are safer than members. Guests with page access can still export, copy, or screenshot PHI; the safer path is to avoid guest access entirely for PHI teamspaces.

Step 6: Disable Risky Integrations and Notion AI for PHI Spaces

Open the Enterprise admin console and disable public sharing, web publishing, and third-party connections inside PHI teamspaces. Critically, Notion AI is covered under the Notion BAA only when Enterprise customers opt in under specific terms; verify your BAA addendum explicitly covers AI features before letting any PHI touch them.

The consequence of an unreviewed Slack, Zapier, or Google Drive integration is that PHI leaves Notion and lands inside a vendor that has no BAA with you. A real example: a billing coordinator named David Chen piped Notion tasks to a personal Trello board, unknowingly exporting patient names and claim numbers to a vendor with no BAA.

A common misconception is that integrations “inherit” Notion’s BAA. They do not. Every downstream vendor needs its own BAA under 45 CFR 164.308(b).

Step 7: Turn On and Export Audit Logs

Enable the Enterprise audit log and export it to your SIEM, such as Splunk or Datadog, on a weekly cadence. Audit logs satisfy the audit control standard at 45 CFR 164.312(b) and give you the forensic trail the Breach Notification Rule expects.

The consequence of not exporting logs is that Notion retains them for a limited window, and if a breach is discovered months later, you may lack the evidence to scope it. A real example: a specialty clinic discovered a rogue insider nine months after the fact and could only reconstruct three months of activity, forcing a presumed breach notice to all patients.

A common misconception is that audit logs are only needed after an incident. OCR expects proactive log review under 45 CFR 164.308(a)(1)(ii)(D).

Step 8: Complete a Written Risk Analysis

Run a written risk analysis that inventories every place PHI sits inside Notion, the threats to that data, the likelihood of each threat, and the mitigations. This duty comes directly from 45 CFR 164.308(a)(1)(ii)(A) and is the single most cited failure in OCR resolution agreements.

The consequence of a missing or superficial risk analysis is that OCR will treat every other safeguard as unprovable. A real example: in the Anthem resolution, the absence of an enterprise-wide risk analysis was the lead finding.

A common misconception is that a vendor’s SOC 2 report counts as your risk analysis. It does not. SOC 2 covers Notion’s controls; your risk analysis must cover your use of Notion.

Step 9: Train the Workforce Annually

Deliver annual HIPAA training that specifically covers Notion workflows, including page sharing, guest access, AI prompts, and mobile use. Training is required under 45 CFR 164.308(a)(5) and must be documented with sign-in sheets, quiz scores, or an LMS record.

The consequence of untrained staff is that they become the breach vector. A real example: a dental office receptionist named Lauren Park pasted a patient’s X-ray link into a public Notion page because she did not know how permissions worked; the link was indexed by Google within 48 hours.

A common misconception is that generic HIPAA training is enough. OCR expects role-based, tool-specific training because generic decks do not teach someone how to use Notion safely.

Step 10: Maintain Six Years of Documentation

Retain your BAA, risk analysis, training records, audit logs, policies, and incident reports for at least six years from creation or last effective date, per 45 CFR 164.316(b)(2). Store these outside of Notion, in a dedicated GRC tool, so that a Notion outage does not compromise your evidence.

The consequence of poor retention is that OCR treats missing documents as noncompliance by default. A real example: a New Jersey surgical group lost five years of training records in a laptop theft and was fined separately for the documentation failure, on top of the underlying breach.

A common misconception is that Notion itself is a safe place to store your own compliance evidence. It can be, but keep a second copy outside Notion for tamper resistance.

Three Real-World Scenarios With Consequences

The fastest way to understand HIPAA risk in Notion is to look at specific fact patterns. Each scenario below maps an action to its legal consequence. Tables use two columns on purpose, because HIPAA enforcement is rarely ambiguous once the facts are clear.

Scenario 1: Solo Therapist on Notion Free

Scenario 2: Telehealth Startup on Notion Enterprise With a BAA

Scenario 3: Medical Billing Company Using Notion for SOPs Only

Named Examples: How Real Teams Get Notion HIPAA Compliant

Stories make HIPAA stick. Below are three composites built from public OCR guidance and common practice patterns, each naming a person so the workflow feels concrete.

Dr. Elena Rodriguez, LCSW, solo private practice in Austin, TX. Elena wanted a unified workspace for client intakes, progress notes, and billing. She upgraded to Notion Enterprise for a single seat, executed the BAA, enabled SSO through Google Workspace Enterprise with MFA, and created a Clients teamspace locked to her account only. She keeps her written risk analysis and six years of records in a separate Vanta account, because one vendor should not hold both the PHI and the evidence.

Marcus Whitfield, CTO of a Series A telehealth startup in Seattle. Marcus rolled out Notion Enterprise for 60 engineers, clinicians, and operations staff. He split the workspace into Clinical, Engineering, and Go-to-Market teamspaces, and forbade PHI outside Clinical. He signed the Notion BAA, disabled Notion AI inside Clinical until the BAA addendum explicitly covered AI, and set up weekly audit log exports to Datadog for alerting on unusual access.

Priya Natarajan, compliance officer at a 40-person billing company in Chicago. Priya decided Notion would hold SOPs, policies, and training materials only. She wrote a bright-line policy that any PHI paste into Notion is a reportable internal incident, trained all staff annually, and built a monthly scan using the Notion API to flag pages containing pattern matches for SSNs, MRNs, and claim numbers. She escalates every true-positive to the privacy officer within 24 hours.

Mistakes to Avoid

Even teams with strong intentions make the same mistakes. Each item below includes the specific error and its negative outcome, so you can spot them before OCR does.

• Using Notion Plus or Business with PHI. There is no BAA available, and every PHI page is an automatic violation of 45 CFR 164.502(e).
• Assuming private pages equal compliance. Page privacy does not replace a BAA or satisfy the Security Rule, and OCR will not accept it as a defense.
• Letting Notion AI touch PHI without BAA coverage. AI features process content through model pipelines that must be explicitly covered, or you have made an unlawful disclosure.
• Skipping a written risk analysis. This is the single most cited failure in OCR settlements, and its absence turns every other control into an unprovable claim.
• Keeping terminated users active. Orphaned accounts are a leading breach vector, and they violate the access management standard at 45 CFR 164.308(a)(4).
• Piping Notion data to integrations with no BAA. Zapier, Slack, Make, and similar tools become business associates the moment they touch PHI, and each one needs its own signed BAA.
• Storing compliance evidence only inside Notion. A Notion outage or account lockout becomes an evidence crisis; keep a second copy in a dedicated GRC system.
• Using guest access for clinicians. Guests can still export and screenshot, and they complicate the minimum-necessary analysis.
• Relying on generic HIPAA training. OCR expects role-based, tool-specific training, because staff need to know how Notion works, not just what PHI means.
• Ignoring state law. California’s CMIA, Texas HB 300, and New York SHIELD all impose duties that go beyond HIPAA.

Federal First, Then State Nuances

HIPAA is a federal floor, not a ceiling. Many states layer stricter rules on top, and the stricter rule always wins under 45 CFR 160.203. Notion configurations that satisfy HIPAA may still fail state law.

California’s Confidentiality of Medical Information Act defines medical information more broadly than HIPAA’s PHI, and it reaches some wellness and mental health apps that HIPAA does not. A Notion workspace used by a California mental health coach may be subject to CMIA even if the coach is not a HIPAA-covered entity.

Texas HB 300 expands the definition of covered entity to almost any business that handles PHI in Texas, and it mandates specific employee training with a 60-day onboarding window. A Texas-based Notion user must document training that satisfies HB 300’s cadence, not just HIPAA’s annual standard.

New York SHIELD Act requires reasonable administrative, technical, and physical safeguards for any private information of New York residents, and it allows the Attorney General to sue for civil penalties. A Notion Enterprise setup without MFA may satisfy HIPAA but still fail SHIELD’s reasonableness standard.

Do’s and Don’ts for Notion HIPAA Setup

The list below is built on OCR guidance and BAA best practices. Each item includes a short why so the reasoning sticks.

Do’s

• Do upgrade to Notion Enterprise before touching PHI, because only Enterprise supports a BAA.
• Do execute the BAA before any PHI enters the workspace, because retroactive BAAs do not cure prior disclosures.
• Do enable SAML SSO and MFA on day one, because password-only access fails the 2024 NPRM and most state laws.
• Do run a written risk analysis and update it annually, because OCR treats this as the foundation of compliance.
• Do keep compliance evidence outside Notion, because tamper resistance and availability matter during audits.

Don’ts

• Don’t store PHI on Free, Plus, or Business, because no BAA exists and every byte is a violation.
• Don’t let integrations touch PHI without their own BAA, because downstream vendors are independent business associates.
• Don’t enable Notion AI on PHI unless the BAA addendum explicitly covers AI, because AI features route content through model pipelines.
• Don’t rely on private page settings as a compliance control, because privacy toggles are not safeguards under the Security Rule.
• Don’t skip role-based training, because generic decks do not teach staff how to use Notion safely.

Pros and Cons of Using Notion for Healthcare Workflows

Notion is attractive because it replaces several tools with one, but its flexibility is also its risk. The list below weighs the trade-offs with a short why for each.

Pros

• Unified workspace for SOPs, tasks, and notes, which reduces tool sprawl and lowers the number of vendors that need BAAs.
• Enterprise-grade controls like SSO, SCIM, and audit logs, which map cleanly to Security Rule safeguards.
• Fast iteration on clinical workflows, which helps small practices adapt without expensive custom software.
• A public BAA posture at the Enterprise tier, which gives buyers a clear path rather than negotiating from scratch.
• Strong collaboration features, which reduce email use and lower the odds of PHI leaking through unencrypted mail.

Cons

• No BAA on lower tiers, which makes Notion a trap for small teams that start on Plus.
• Feature sprawl like Notion AI and integrations, which creates constant surface area for accidental disclosures.
• Not purpose-built for clinical workflows, which means it lacks EHR-style access controls such as break-the-glass auditing.
• Limited native DLP, which makes pattern-based PHI detection an external project using the Notion API.
• Compliance burden is on the customer, which means a misconfigured Enterprise workspace is still your liability.

Notion Versus Purpose-Built HIPAA Tools

The table below compares Notion Enterprise with common alternatives. Use it to decide where Notion fits in your stack.

Breach Notification: What Happens When Notion Is the Root Cause

If PHI is exposed through Notion, the clock starts the moment the breach is discovered, not when it occurred. Under 45 CFR 164.404, individual notice must go out without unreasonable delay and in no case later than 60 days.

For breaches affecting 500 or more individuals, you must also notify HHS contemporaneously and notify prominent media outlets in the affected state, per 45 CFR 164.406. The HHS Breach Portal publishes these incidents on the so-called Wall of Shame, which creates reputational damage beyond the fine.

Business associates such as Notion must notify the covered entity of a breach under 45 CFR 164.410, typically within the BAA’s negotiated window. The consequence of missing these deadlines is that OCR will treat the delay as a separate violation, compounding penalties.

Recap of Key Enforcement Rulings

OCR resolution agreements are the clearest signal of how regulators view vendor risk. The Anthem $16 million settlement hinged on missing risk analysis and weak access controls. The Advocate Health Care $5.55 million settlement showed that physical safeguards and BAA failures travel together.

More recently, OCR’s Right of Access Initiative has produced dozens of settlements, which matters for Notion because right-of-access requests often pull PHI out of productivity tools into patient-facing channels. If your Notion workspace holds the only copy of a record, you must be able to produce it within 30 days under 45 CFR 164.524.

The consequence of treating these settlements as one-off is that you miss the pattern. OCR rewards documented, proactive compliance and punishes reactive posture, regardless of the tool involved.

FAQs

Is Notion HIPAA compliant out of the box?

No. Notion becomes HIPAA compliant only when you are on Enterprise, sign a BAA with Notion Labs, and configure SSO, MFA, SCIM, audit logs, and workforce training to match Security Rule safeguards.

Will Notion sign a BAA on the Plus or Business plan?

No. Notion signs BAAs only with Enterprise customers, because lower tiers lack the audit logs, SCIM provisioning, and admin controls the Security Rule requires.

Can I store client therapy notes in Notion Enterprise?

Yes. You can store notes if your BAA is signed, SSO and MFA are enforced, the teamspace is private, integrations are restricted, and you have a written risk analysis documenting the workflow.

Is Notion AI safe to use with PHI?

No. Notion AI is safe with PHI only if your BAA addendum explicitly covers AI features, because AI processing routes content through model pipelines that must be contractually governed.

Do I need a separate BAA for every integration I connect to Notion?

Yes. Every downstream vendor that receives PHI through an integration becomes a business associate and requires its own signed BAA under 45 CFR 164.308(b).

Does Notion’s SOC 2 report substitute for my risk analysis?

No. SOC 2 covers Notion’s controls, not your use of Notion, so you still owe a written risk analysis under 45 CFR 164.308(a)(1)(ii)(A).

How long must I keep Notion-related HIPAA records?

Yes, you must keep them at least six years. Retention for policies, training, risk analyses, and audit logs is set by 45 CFR 164.316(b)(2).

Is a private Notion page the same as encryption?

No. Private pages control visibility, not cryptography; encryption at rest and in transit is handled by Notion’s platform and verified in the Trust Center.

Can state laws make my Notion setup noncompliant even if HIPAA is satisfied?

Yes. California’s CMIA, Texas HB 300, and New York’s SHIELD Act can impose stricter duties, and the stricter rule controls under 45 CFR 160.203.

If a breach happens in Notion, who notifies the patients?

Yes, the covered entity does. Notion, as a business associate, notifies you, and you then notify affected patients within 60 days under 45 CFR 164.404.

Does MFA alone satisfy the Security Rule?

No. MFA is one required control; you also need risk analysis, access management, audit controls, encryption, training, contingency planning, and BAAs with every vendor.

Is Notion a good fit for a HIPAA-covered medical practice?

Yes, for SOPs and operations, and cautiously for PHI at Enterprise with strict controls; purpose-built EHRs remain better for core clinical records.