Since Paubox is a Business Associate to thousands of customers, we’ve been wondering if they are able to use Asana in a HIPAA compliant manner. In fact, we've noticed more vendors, customers, and prospects asking about HIPAA compliant services. This is especially true now as we see an accelerated, long overdue adoption of digital transformation in healthcare.
We know the HIPAA industry is vast, so we can empathize with just how many people need to use cloud services in this sector. Today we will determine if Asana offers HIPAA compliant service or not.
Asana is a cloud service designed to improve team collaboration and work management. Teams can create projects, assign work to teammates, specify deadlines, and communicate about tasks directly in Asana. Asana was founded in 2008 by Justin Rosenstein and Facebook co-founder Dustin Moskovitz. The company is based in San Francisco.
See Related: Is Trello a HIPAA Compliant Cloud Service?
What is a Business Associate?
A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a Covered Entity. In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule
Read full article: What does it mean to be a Business Associate?
Business Associate Agreement provisions
If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement (BAA) must be in place. A BAA is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance. At a minimum, a Business Associate Agreement contains 10 provisions.
Read full article: Business Associate Agreement Provisions
Asana and the Business Associate AgreementWe checked the Asana site for mention of their ability to sign a Business Associate Agreement (BAA). We found the following pages:
From these pages, we can see that:
- In Section 5.2 of its Terms of Service, Asana does not allow sensitive information such as what it calls "health information" (i.e., protected health information) to be stored on its system without prior written consent
- In its community forum, as Asana employee states, "Asana is not specific to the medical field and as such we do not have clearly identifiable HIPAA compliance standards..."
- Another Asana employee in its community forum also states: "Your data is not encrypted on the servers (for performance reasons), but we do encrypt over the wire via SSL"
See Also: HIPAA Breaches and Cloud Providers
Does Asana offer HIPAA Compliant Service?The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate. We were able to learn the following about Asana about their ability to be considered a HIPAA compliant solution:
- Asana does not allow protected health information to be stored on its platform
- Asana does not have "clearly identifiable HIPAA compliance standards"
- Asana does not encrypt its data at-rest. As we've seen with the multitude of HIPAA fines from unencrypted hard drives, this is a major component of HIPAA compliance.
- Asana does not sign BAAs
Conclusion: Asana is not a HIPAA compliant cloud service.