Is Asana HIPAA Compliant?

According to Asana’s latest product roadmap release, the enterprise plan now supports the Health Insurance Portability and Accountability Act (HIPAA). Asana may now be set up in a way that makes it HIPAA-compliant, making it suitable for use in healthcare and related industries.

What is HIPAA?

Medical records are protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) of the United States that was updated in 2009 with the HITECH Act. It is a set of guidelines for the confidentiality and security of patients’ medical records is provided here.

HIPAA Compliance

Who Needs to Be HIPAA Compliant?

Well, the compliant are the “Covered Entities.” Who are these Covered Entities? These are the hospitals, doctors’ offices, other healthcare providers, health plans and health care clearing houses.

Business associates, who are people or organizations that perform functions on behalf of a covered entity, are another group that has access to protected health information (PHI) and are also part of the HIPAA compliant.

In general, HIPAA requires covered entities and their business associates to:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit.
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce.

Asana’s Commitment to Covered Entities & Business Associates

Asana helps organizations that must follow the Health Insurance Portability and Accountability Act of 1996 manage their work in a way that is HIPAA-compliant.

Asana considers security and compliance to be a shared responsibility with the customer. Asana is responsible for empowering customers with the HIPAA compliance services they require. The customer is responsible for ensuring that the architecture of their Asana domain supports HIPAA compliance.

Customers are responsible for maintaining compliance with the applicable HIPAA and HITECH regulations by implementing the necessary administrative, technological, and physical protections to protect PHI hosted and processed by Asana. Asana has implemented security and compliance safeguards for all customer data, including that of HIPAA-governed customers. Asana and the customer mutually agree to assume these duties and responsibilities under the Business Associate Addendum between Asana and the customer.

Enabling HIPAA Compliance in Asana

Customers must execute Asana’s Business Associate Agreement (BAA) if they intend to store protected health information (PHI) in their Asana domain and are subject to HIPAA. Customers continue to bear main responsibility for ensuring HIPAA compliance. Asana will largely fulfill its obligations as a business associate by providing its clients with the tools required to maintain HIPAA compliance.

Executing Asana’s Business Associate Agreement

To implement Asana’s Business Associate Agreement and enable Asana’s compliance with HIPAA:

  1. To start using Asana in compliance with HIPAA regulations, first customers need to upgrade to the company-wide Enterprise subscription.
  2. After purchasing and configuring HIPAA compliance, an Asana Super Admin will be prompted to review and sign the Business Associate Agreement and HIPAA Use Requirements within the Admin Console.
  3. The Use Requirements for HIPAA Compliance won’t go into effect for the whole company until 24 hours after the BAA is signed.

a. Upon signature, it is the responsibility of the Super Admin to review all existing applications. Customers are solely responsible for assessing the security of any third-party integrations, including entering into separate Business Associate Agreements or any other data protection agreements as necessary with these service providers. As of now, Asana does not have Business Associate Agreements with all third-party apps that can integrate with Asana.

Asana has some wonderful features and over time Asana will modify a few product features to provide consumers with a product experience that prioritizes privacy and security by default upon this being confirmed.

Once HIPAA compliance has been activated in Asana, reverting to a version of Asana without HIPAA compliance will necessitate the deletion of the domain. Asana must proceed with domain deletion if HIPAA functionality is withdrawn from a domain to protect the confidentiality of data. With the help of the Asana Admin Console, administrators can export their organization’s data as a JSON file.

How to Enable HIPAA on Asana?

Asana offers a HIPAA compliance add-on, and once you’ve purchased it, you can follow these steps to sign Asana’s Business Associate Addendum (BAA) and make your domain HIPAA compliant. To enable HIPAA compliance, a Super Admin must first accept the BAA in the Admin Console.

Enabling HIPAA Compliance in Asana: Step 1

From the Admin Console, navigate to the Security tab.

Enabling HIPAA Compliance in Asana: Step 2

Navigate to “HIPAA compliance” and review the BAA + Use Requirements and Limitations.

Enabling HIPAA Compliance in Asana: Step 3

Upon agreeing to the terms, please allow 24 hours for HIPAA compliance to activate across your domain.

To read more about how Asana Supports HIPAA Compliance: Click Here