Skip to main content
HIPAA compliance information

For Enterprise customers only: Learn about Coda's HIPAA compliance, including requirements, product use considerations, restrictions, & more

Updated over 3 months ago

Coda’s security and privacy strategy is built upon well-established principles that guide us in our approach to securing Coda and keeping your data safe. For customers subject to the requirements of the Health Information Portability and Accountability Act (”HIPAA”) who intend to upload, transmit, and communicate about Protected Health Information (”PHI”), Coda is able to assist our customers in their HIPAA compliance efforts through our Enterprise plan.

This article provides guidance on important configuration factors, product restrictions, and customer obligations necessary to maintain HIPAA compliance. Prospective customers should read this article in its entirety to ensure their intended use of the Coda platform is aligned with HIPAA requirements.

Within this article, you'll find...


Requirements for enabling HIPAA compliance

  1. Enterprise level Coda plan: HIPAA compliance is only offered to customer’s on Coda’s Enterprise plan.

  2. Signed Business Associates Agreement (BAA): Coda’s BAA governs the handling and protection of Protected Health Information.

  3. Configurations and product use considerations: See the table below.

📣 If you're interested in upgrading to an Enterprise plan, or would like to discuss any of the above requirements with our team, please contact us here.

Configuration and product use considerations

The following table provides Coda features and configurations to support your HIPAA compliance obligations.

HIPAA Standards

How Coda Supports Compliance

Access Control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs.

Enable SAML SSO: Coda supports open standard SAML 2.0 and can work with your Identity Provider (IdP) of choice. For organizations managing multiple workspaces, Coda’s SAML implementation supports provisioning access to specified workspaces based on IdP user attributes.

Packs control: All integrations and Packs can be configured to be disallowed or require admin approval prior to installation. Coda’s Packs platform also provides advanced configurations for admins to control data schemas/type allowed in Packs.

Personal access tokens: Personal access tokens can be disabled at the organization level by Coda Support.

Unique User Identification

Assign a unique name and/or number for identifying and tracking user identity.

SAML/SCIM: In addition to SAML login, Coda has a SCIM API allowing admins to provision, manage, and deprovision members directly from their IdPs.

Automatic Logoff

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Session period: Coda’s default session period is 30 days. Customers who require a different session period may reach out to Coda support to set a custom session timer.

Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Audit log: Coda has an in-product Audit log dashboard that lists the audit events for your organization.

Admin API: Coda offers an Admin API that can be used to integrate with your preferred SIEM (Security Information and Event Management) system. Coda retains these audit events for a year. Customers may use the Admin API to store logs in their preferred SIEMs for longer durations.

Integrity Controls

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

Audit Log: Audit logs provide an immutable record of events within a organization.

Admin API: The Admin API allows users to integrate with external services for customers who require custom retention and/or backup of their logs.

Sharing restrictions: Admins may set sharing restrictions and can prevent external sharing entirely. This includes the ability to enable/disable publishing of docs.

Folder permissions: All folders are set to private by default upon creation.

Legal holds: Available as a paid add-on. This feature allows admins to place legal holds on users and preserve their docs for a specific amount of time.

Workspaces: Admins may restrict the creation of new workspaces from their users.

Data Export: Admins may configure the ability for users to export their documents. Admins may export their organization’s data and any time.

Transmission Security

Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Implement a mechanism to encrypt and decrypt electronic protected health information.

Encryption: Coda uses the AWS Key Management Service (KMS) to create, maintain, and rotate encryption keys. Data transmitted between customers and Coda’s service is protected using TLSv1.2 or higher. Data at rest is encrypted using AES-256 symmetric encryption algorithm

Data Retention and Disposal

Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Data retention and disposal: Deleted documents are kept in our primary storage systems for 7 days to allow for accidental deletions to be reverted. After this 7-day period, they are permanently removed from our primary storage systems.

Deleted data will still be retained in backups for 35 days. Once this 35-day retention period is over, the customer data will no longer be present in the backups.

Limitations and restrictions

The below are limitations and restrictions on your use of Coda that may impact your HIPAA compliance efforts. Coda’s obligations under your BAA only apply to services that comply with these limitations and restrictions.

  • Users - Coda is not an EHR (Electronic Health Record) and is not designed to be the system of record for health information. Customers may not use Coda to communicate with patients, patient family members, plan members, or their employers.

  • Packs - Coda’s Pack Gallery provides access to third-party integrations for tools that work with Coda’s services. These services (including two-way sync) are not covered by Coda’s BAA. It is up to you, the customer, to determine 1) whether a BAA with such third-party tool is required 2) execute such agreement directly with the third party.

  • PHI Prohibited Fields - Users may not include PHI in any of the following:

    • Organization names

    • URL domains

    • Workspace names

    • Folder names

    • Doc titles

    • Page titles

    • Table titles

    • Images, including the file name


  • Support Services - When submitting support requests to Coda, users must not include any PHI in the message contents or in any file uploads including screenshots, documents, etc. This is inclusive of all methods of support (in-product widget, email, phone, chat, etc.).

  • Coda Brain - Coda Brain is not covered by Coda’s BAA.


Privacy, certifications, and compliance

Coda adheres to global privacy laws and security standards with measures in place to help you meet your compliance obligations. To learn more about Coda’s Security and Compliance measures, please see https://coda.io/trust/security.


Related resources

Did this answer your question?