💭 Asana: HIPAA Compliance — Sepehr Alimagham

In order to capitalize on an opportunity to work with enterprise healthcare clients, Asana committed to enabling HIPAA compliance.

How might we design something that warns users when doing something potentially highly destructive to their organization?

Asana is a web and mobile "work management" platform designed to help teams organize, track, and manage their work.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Why is HIPAA compliance important to Asana’s roadmap?

This was a massive rollout that would directly impact the most sensitive parts of the product — i.e. the admin console, the security settings related part of the product only the highest level in an organization using Asana could access and edit.

When certain security settings are changed (i.e. 2FA, third party integrations, etc.) it automatically makes an organization non HIPAA-compliant. This is a big threat to security, and for our large enterprise customers in the health-adjacent industries is a huge problem.

As a part of the HIPAA compliance rollout Asana’s top level IT users (Super Admins) are not able to know whether their organization is HIPAA compliant when changing certain security settings.

I needed to figure out a way to show them what the agreement looks like that makes them HIPAA compliant, and if and when they do change settings, how to notify them they will no longer be compliant by doing so.

Problem

How might we learn about “Super Admin” users and what types of warnings would be beneficial to them?

I did, however, speak with people in our own IT department to get a sense of what our ‘super admin’ users that would use the admin console are like.

Things I wanted to know:

How often are admins in their security consoles?
How much alerting is too much with security messages?
What would be the most effective way to alert super admin users of potential non-compliance?

What I learned:

Super admins are in the admin console a lot due to the changing nature of things in enterprise companies

They don’t mind getting alerts often - as long as it is to avoid something that is potentially destructive to the organization
Would want to show alerts in the most critical areas only

Research

HIPAA compliance is a complex thing — how might I make it simple for our users?

With HIPAA being a complex web of legalities that can make a user non-compliant on many settings, I needed to ideate on some ways to warn the user without causing pattern blindness, or warning them at non-critical times.

Use cases

Ideation

Helper text that shows an alert that changing certain settings will make them non HIPAA compliant

A “tour” that shows all the settings that will be changed upon accepting the HIPAA agreement

Is there an easier way to solve this problem with tools that we have in-product?

After doing a design critique with my design team, we collectively came to the conclusion that we need to find a balance between warning users in a more specific way of destructive actions but without them experiencing pattern blindness by showing an alert too often (like one that sticks permanently at the top of the page).

I met with thought partners like the design systems team to determine whether we had patterns that have been used in the past for warning type messages. I also went into the Asana product to investigate different patterns that are used for more of a warning type of interaction.

Final designs

Ultimately, I realized I can use a design system banner component. This meant that I can save time, effort and money on development by leveraging one single component in different surfaces.

I did decide to only show the warning in the most crucial moments (i.e. right as a setting will be changed).

Results

The HIPAA add-on was officially launched in late September 2022 🎉

This was a huge win for the company as it was a high priority in the roadmap, and the successful launch was able to help out some of our biggest healthcare clients.

In order to capitalize on an opportunity to work with enterprise healthcare clients, Asana committed to enabling HIPAA compliance.

How might we design something that warns users when doing something potentially highly destructive to their organization?

Asana is a web and mobile "work management" platform designed to help teams organize, track, and manage their work.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Why is HIPAA compliance important to Asana’s roadmap?

This was a massive rollout that would directly impact the most sensitive parts of the product — i.e. the admin console, the security settings related part of the product only the highest level in an organization using Asana could access and edit.

When certain security settings are changed (i.e. 2FA, third party integrations, etc.) it automatically makes an organization non HIPAA-compliant. This is a big threat to security, and for our large enterprise customers in the health-adjacent industries is a huge problem.

As a part of the HIPAA compliance rollout Asana’s top level IT users (Super Admins) are not able to know whether their organization is HIPAA compliant when changing certain security settings.

I needed to figure out a way to show them what the agreement looks like that makes them HIPAA compliant, and if and when they do change settings, how to notify them they will no longer be compliant by doing so.

Problem

How might we learn about “Super Admin” users and what types of warnings would be beneficial to them?

I did, however, speak with people in our own IT department to get a sense of what our ‘super admin’ users that would use the admin console are like.

Things I wanted to know:

How often are admins in their security consoles?

How much alerting is too much with security messages?

What would be the most effective way to alert super admin users of potential non-compliance?

What I learned:

Super admins are in the admin console a lot due to the changing nature of things in enterprise companies

They don’t mind getting alerts often - as long as it is to avoid something that is potentially destructive to the organization

Would want to show alerts in the most critical areas only

Research

HIPAA compliance is a complex thing — how might I make it simple for our users?

With HIPAA being a complex web of legalities that can make a user non-compliant on many settings, I needed to ideate on some ways to warn the user without causing pattern blindness, or warning them at non-critical times.

Use cases

Ideation

Helper text that shows an alert that changing certain settings will make them non HIPAA compliant

A “tour” that shows all the settings that will be changed upon accepting the HIPAA agreement

Is there an easier way to solve this problem with tools that we have in-product?

I met with thought partners like the design systems team to determine whether we had patterns that have been used in the past for warning type messages. I also went into the Asana product to investigate different patterns that are used for more of a warning type of interaction.

Final designs

Ultimately, I realized I can use a design system banner component. This meant that I can save time, effort and money on development by leveraging one single component in different surfaces.

I did decide to only show the warning in the most crucial moments (i.e. right as a setting will be changed).

Results

The HIPAA add-on was officially launched in late September 2022 🎉

This was a huge win for the company as it was a high priority in the roadmap, and the successful launch was able to help out some of our biggest healthcare clients.

Context

📊 Asana: Goals to Decks