Smartsheet and HIPAA

This Help Article generally describes how PHI Eligible Services are maintained and secured in a manner that allows you to meet your compliance obligations under The Health Insurance Portability and Accountability Act (HIPAA), as amended, including the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Who can use this?

Plans:

  • Smartsheet

Permissions:

Only Enterprise users have the ability to implement the Smartsheet features and functionalities necessary for you to meet your obligations under HIPAA.

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

Smartsheet offers subscription-based online services (Subscription Services), with specific plan types designated as PHI Eligible Services (listed below). Smartsheet customers (you, your, etc.) can use PHI Eligible Services on eligible plans to store or process Protected Health Information (PHI).

Customers are only permitted to upload PHI into the Subscription Services if (1) using PHI Eligible Services and (2) they have executed a Business Associate Agreement (BAA) with Smartsheet.

This article doesn’t, and isn’t intended to, constitute legal advice. All the information provided in this article is for you to review as part of your own HIPAA compliance efforts. If you have any questions or would like to execute a Business Associate Agreement (BAA) with Smartsheet, contact your Smartsheet account manager or fill out the Smartsheet for Healthcare.

PHI eligible services

  • Smartsheet Enterprise Plan (subject to the limitations below)

PHI ineligible services

  • Smartsheet Trials, Pro Plan, Business Plan
  • Smartsheet File Library
  • EAP Members on any plans
  • Brandfolder
  • Smartsheet University, Community, and other Smartsheet Sites

For more information about plan types and included capabilities, visit our Smartsheet Plans page.

Service description

Smartsheet offers its customers subscription-based online services with additional security measures, features, and functionalities designed to allow customers to comply with their obligations under HIPAA (the PHI Eligible Services). These security measures are annually evaluated by third-party auditors according to AICPA SOC2 standards (or, such alternative, substantially equivalent standards) to demonstrate how Smartsheet achieves key compliance controls and objectives.

For more information on Smartsheet’s SOC2 Report or to request a copy of this report, visit our Compliance Trust Center.

Smartsheet implements hardening and configuration requirements consistent in approach with SANS Institute, National Institute of Standards and Technology (NIST), and/or Center for Internet Security (CIS) recommendations, or successor standards widely used in the industry.

Any data, attachments, text, images, reports, personal information, or other content that you or your users upload or submit to the online services is maintained in an encrypted form (in transit and at rest).

Configurable settings, including access controls, are also available within PHI Eligible Services to allow you to ensure that PHI is only used or accessed per your instructions and as permitted in your BAA with Smartsheet. Such data is protected from unauthorized access by customer-configurable security controls that offer protection equivalent to logical segregation.

Visit our Trust Center and review our Security Practices for more information on how your data is secured and protected.

Security as a shared responsibility

Since you know what is needed to protect your data, Smartsheet employs a Software-as-a-Service (SaaS) shared-responsibility model to best allow you to meet your compliance and regulatory needs. What does this mean? Essentially, you and Smartsheet are both responsible for taking action to protect your data.

Smartsheet is responsible for providing measures to secure, support, and maintain the Subscription Services. These measures include providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities, as outlined in Figure 1 below.

You are responsible for ensuring that you and your users use the Subscription Services in compliance with your obligations under applicable laws (including HIPAA), your BAA with Smartsheet, and as outlined in this article. This includes understanding and implementing Smartsheet-supported customizable security controls that you deem necessary to meet your legal and compliance obligations. Smartsheetdoesn’t take data-specific actions on your behalf, as it’s data-agnostic regarding the treatment and type of data you submit to the services.

Brandfolder Image
Measures for maintaining security as a shared responsibility

For information on how to customize and configure Subscription Services, see our Configure a safe sharing policy article and other related Help Articles for further details and instructions.

If you select to integrate with or store attachments through a third party, you are solely responsible for ensuring that all proper controls and agreements are in place.

Additional Resources

The resources linked below, although not HIPAA-specific, may help you understand how the Subscription Service is designed with privacy, confidentiality, and availability of data in mind.

This Help Article is for informational purposes only. Each customer should independently evaluate its own use of the Subscription Services as appropriate to support its legal compliance obligations. Smartsheet makes no warranties, express, implied, or statutory, as to the information in this document.

If you are utilizing PHI Eligible Services and determine that you need to put a BAA in place with Smartsheet, contact your Smartsheet account manager or submit the Smartsheet for Healthcare to contact our Sales team.