Business Associate Addendum (HIPAA)

section icon
section icon

Last Updated: August 29, 2025

This Business Associate Addendum is made and entered into by and between the party identified as customer in the Agreement (“Customer” or “Covered Entity”) and Asana, Inc. (“Asana” or  “Business Associate”), in accordance with the meaning given to those terms at 45 CFR §164.501), unless the parties have executed a separate business associate agreement, in which case that agreement shall govern (in either case, the “Addendum”)  and this Addendum shall be incorporated by reference into the Agreement as of the Effective Date. In this Addendum, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”.

BACKGROUND

I. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);

II. The Parties have entered into or will enter into an agreement which governs Covered Entity’s use of the SaaS Services (“Agreement”) which Agreement may contain a prohibition on the submission of Protected Health Information in Customer Data;

III. Notwithstanding any prohibition on submission of Protected Health Information in Customer Data, subject to Covered Entity’s enablement of the HIPAA Feature in accordance with the Use Requirements, Business Associate may have access to Protected Health Information;

IV. By providing the SaaS Services pursuant to the Agreement and this Addendum, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;

V. Both Parties are committed to complying with federal laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E, as applicable, (collectively, the “Privacy Rule”); and

VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Addendum, the Agreement, and HIPAA and other applicable laws as set forth herein.

TERMS

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this Addendum, the Parties agree as follows:

1. Definitions.

For purposes of this Addendum, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this Addendum, but not otherwise defined, have the meaning given to that term in HIPAA or the Agreement. Notwithstanding capitalization, the following term shall have the meanings as set forth under HIPAA: “required by law”.  

1.1 “Affiliate” shall have the meaning set forth in the Agreement.

1.2 “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.

1.3 “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.

1.4 “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this Addendum shall be consistent with the meaning given to that term in the Privacy Rule.

1.5 “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.

1.6 “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).

1.7 “Effective Date” means the date Customer has enabled HIPAA Feature in the SaaS Services in accordance with the Use Requirements.

1.8 “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.

1.9 “Health Care Operations” has the meaning given to that term in 45 CFR §164.501.

1.10 “HHS” means the U.S. Department of Health and Human Services.

1.11 “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.

1.12 “HIPAA Feature” means the feature or functionality made available under the applicable Subscription Tier of the SaaS Services.

1.13 “Individual” has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

1.14 “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.

1.15 “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information received, maintained, transmitted, used, or otherwise disclosed by Business Associate from or on behalf of Covered Entity in Customer Data and subject to the Use Requirements.

1.16 “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

1.17 “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.

1.18 “SaaS Services” means Asana’s software as a service offerings, including any add-on features and products to the software as a service offerings, to be provided pursuant to and as specified in the applicable Order Form, in each case to only if such SaaS Services are HIPAA compliant.

1.19 “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).

1.20 “Use Requirements” means the HIPAA Use Requirements and Limitations terms maintained and available at https://asana.com/terms/hipaa-requirements-and-limitations.

2. Use and Disclosure of PHI

2.1 Except as otherwise provided in this Addendum, Business Associate may use or disclose PHI as reasonably necessary to provide the SaaS Services as described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this Addendum or as required by law.

2.2 Except as otherwise limited by this Addendum or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this Addendum and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate promptly of any confirmed breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.

2.3 Business Associate will not use or disclose PHI in a manner other than as provided in this Addendum, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI consistent with Business Associate’s policies and procedures. Business Associate may rely on Customer’s instructions in complying with this Section 2.3.

2.4 Upon written request and to the extent Covered Entity is not able to obtain its PHI through features or functionalities of the SaaS Services, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession.

2.5 Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

3. Safeguards Against Misuse of PHI

Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this Addendum and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this Addendum and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this Addendum.

4. Reporting Disclosures of PHI and Security Incidents

Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this Addendum of which it becomes aware without undue delay and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware without undue delay, each in accordance with the Security Incident notification and response process set forth in the DPA. If a specified notice timeline for Security Incidents has been set forth in the DPA, such notice timeline shall control.Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction.

5. Reporting Breaches of Unsecured PHI

Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. 

6. Mitigation of Disclosures of PHI

Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this Addendum.

7. Agreements with Agents or Subcontractors

Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this Addendum and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent receives PHI as described in section 1.13. of this Addendum. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this Addendum. Notice is hereby provided to Covered Entity or upstream Business Associate (as applicable) through the Subprocessor disclosure and notification information and processes set forth under the DPA. 

8. Audit Report

Upon written request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent SOC Report or other mutually agreed upon independent standards based third party audit report. Covered Entity agrees not to re-disclose Business Associate’s audit report.

9. Access to PHI by Individuals

9.1 Upon written request, Business Associate agrees to furnish Covered Entity with copies of the PHI, to the extent such PHI is maintained by Business Associate in a Designated Record Set to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524 or enable Covered Entity to retrieve such copies through the SaaS Services.

9.2 In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within fifteen business days, will forward, provide written notice of, or redirect that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.

10. Amendment of PHI

10.1 Upon written request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526 or enable Covered Entity to make such amendment through the SaaS Services. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s request.

10.2 In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within ten business days will forward, provide written notice of, or redirect that request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.

11. Accounting of Disclosures

11.1 Business Associate will enable Covered Entity to document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. Covered Entity acknowledges that Business Associate does not have ability to identify the individuals to whom PHI relates or the purposes for which Customer or its End Users submit such PHI into the SaaS Services and, as a result, Covered Entity will be solely responsible for the following with respect to any covered disclosures under this section: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.

11.2 Business Associate will furnish to Covered Entity information collected in accordance with this Section 11, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528.

11.3 In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward or redirect such request to Covered Entity.

12. Availability of Books and Records

Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this Addendum except as set forth in this Addendum.

13. Responsibilities of Covered Entity

With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:

13.1 Submit or disclose PHI to the SaaS Services only in accordance with the Use Requirements.

13.2 Notify Business Associate of any breach by Covered Entity of any obligations under HIPAA as related to PHI submitted in Customer Data.

13.3 Submit or disclose only Minimally Necessary amount of PHI to enable Business Associate to perform the SaaS Services and its rights and obligations under the Agreement and only in compliance with HIPAA.

13.4 Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

13.5 Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI and take affirmative steps to remove such PHI from the SaaS Services.

13.6 Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

13.7 Except for management and administrative activities of Business Associate, Covered Entity shall not request Business Associate, nor shall Business Associate be obligated, to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

14. Data Ownership

Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.

15. Term and Termination

15.1 This Addendum will become effective on the Effective Date, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this Addendum.

15.2 Covered Entity may terminate this Addendum in accordance with the terms of the Agreement.

15.3 Upon termination of the Agreement or this Addendum for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate in accordance with the terms of the Agreement provided that Asana will securely destroy all Customer Data (including PHI) in Customer’s domain within ninety (90) days from the date of termination or expiration of the Agreement. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate’s agents and subcontractors. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. To the extent that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this Addendum to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 15.3. will survive any termination of this Addendum.

16. Effect of Addendum.

16.1 This Addendum is a part of and subject to the terms of the Agreement, except that to the extent any terms of this Addendum conflict with any term of the Agreement, the terms of this Addendum will govern.

16.2 Except as expressly stated in this Addendum or as provided by law, this Addendum will not create any rights in favor of any third party.

17. Regulatory References

A reference in this Addendum to a section in HIPAA means the section as in effect or as amended at the time.

18. Notices

All notices, requests and demands or other communications to be given under this Addendum to a Party will be made as set forth in the Agreement unless otherwise specified in this Addendum.

19. Waiver

Business Associate may modify the terms of this Business Associate Addendum by providing Customer written notice to the email provided at initial acceptance. No modification or amendment of any portion of this Addendum will be effective unless in writing and accepted by Customer electronically through the acceptance portal. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

Previous versions: