Coda can support HIPAA-compliant use only on its Enterprise plan with a signed HIPAA Business Associate Agreement in place and with product restrictions that limit how electronic protected health information is stored, shared, and processed inside the platform.
HIPAA Covered Entities and Business Associates need a HIPAA Business Associate Agreement before a vendor creates, receives, maintains, or transmits electronic protected health information on their behalf. Coda states that it supports HIPAA-aligned use through its Enterprise plan, including the statement, “Coda is able to assist our customers in their HIPAA compliance efforts through our Enterprise plan.” Coda’s Enterprise requirements also include a signed Business Associate Agreement that governs the handling and protection of protected health information, which indicates Coda is willing to sign a HIPAA Business Associate Agreement for eligible Enterprise customers.
HIPAA alignment for Coda is conditional on how the platform is used. A document workspace can contain identifiers, care coordination details, operational notes, and attachments that become protected health information when linked to treatment, payment, or healthcare operations. Administrative safeguards and technical safeguards still apply, including access control, audit controls, transmission security, and retention practices under the HIPAA Security Rule.
Coda’s published restrictions limit use cases that involve direct patient communications and limit which features can be used with protected health information. Coda is not designed to be an electronic health record system of record, and the platform is not positioned for communicating with patients, patient family members, plan members, or employers. Third-party integrations provided through Coda Packs are outside the scope of Coda’s Business Associate Agreement, including two-way synchronization, which can route data into services that have no HIPAA contract coverage. Coda also restricts placement of protected health information in specific fields such as workspace and document naming elements and certain file naming contexts. Coda support interactions must exclude protected health information, including screenshots and uploads. Coda Brain is not covered by Coda’s Business Associate Agreement, which means protected health information should not be entered into that feature.
Coda can be appropriate for internal operational workflows involving protected health information when the organization is on Enterprise, has an executed HIPAA Business Associate Agreement, disables or tightly governs integrations, and enforces the published content and feature restrictions across all users and workspaces.