Last Updated: August 29, 2025
These HIPAA Use Requirements and Limitations apply to your use of the HIPAA compliance feature in the Asana SaaS Services in connection with Protected Health Information (“PHI”), in addition to the terms of your agreement with Asana for the SaaS Services (“Agreement”) and your Business Associate Addendum with Asana (“BAA”).
Before submitting any PHI into the Asana SaaS Services, you must:
upgrade any existing Workspace(s) or Division(s) (as applicable) into a single Organization as the Asana HIPAA compliance feature is only available on a Domain-wide basis;
enable the Asana HIPAA compliance feature through your admin console as further detailed in the Documentation or the Asana's HIPAA Compliance article; and
enable or keep enabled two factor authentication, SSO, or Google Authentication for all of your end users.
Please note, once the Asana HIPAA compliance feature has been enabled, some features or functionalities of the Asana SaaS Services may not be available (as they are not HIPAA compliant) or may be disabled by default. You may enable these features or functionalities, but you do so at your own risk. These features include, but are not limited to, some Asana AI tools, integrations with certain third-party services, and personal access tokens. These limitations may be updated from time to time, and more information is available in Asana’s Documentation, including Asana's HIPAA Compliance Data Sheet.
To ensure PHI remains in HIPAA compliant areas of the Asana services, you and your end users:
may only submit PHI into the Asana SaaS Services. For the avoidance of doubt, PHI may not be submitted through other Asana services, including but not limited to Asana’s Support Services or in connection with the Professional Services (e.g. via email, support portal or tickets, chat bots, etc.); and
shall not submit PHI into any free version of the Asana SaaS Services.
In addition, you and your end users:
shall not use the Asana SaaS Services as a system of record for PHI; and
shall not use the Asana SaaS Services to communicate directly with or provision accounts to patients, plan members, their families, or employers.
You:
are solely responsible for managing you and your end users’ access to PHI in the Asana SaaS Services;
must ensure that each of your end users has their own dedicated email domain (unless Asana agrees otherwise in writing). Personal email domains are not permitted;
must ensure that visibility to PHI is limited to end users on a need-to-know basis by using available Asana SaaS Services features and functionalities to do so (e.g. private tasks, private projects, etc.);
are solely responsible for using the Asana APIs and audit log to monitor for unusual activity in your workspace; and
must enter into separate business associate agreements with any third party providers you use in connection with the Asana SaaS Services including third-party integration providers(including those in Asana’s App Directory). Asana does not enter into business associate agreements with these third party providers.
Asana may update these HIPAA Use Requirements and Limitations from time to time and shall notify you of these updates upon such update.
Previous versions: