Smartsheet and HIPAA
This help article is intended to help security officers, compliance officers, IT administrators, and other employees of Smartsheet customers (“you”, “your”, etc.) that are eligible to use Smartsheet’s Subscription Services to store or process Protected Health Information (or “PHI”) in a manner that allows them to meet their obligations under The Health Insurance Portability and Accountability Act (“HIPAA”), as amended, including the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.
This article does not, and is not intended to, constitute legal advice; instead, all information provided in this article is for you to review as part of your own HIPAA compliance efforts. Any capitalized terms used herein but not defined shall have the definitions assigned under HIPAA or the agreement governing your use of Smartsheet’s subscription-based online services (“Subscription Agreement”).
HIPAA is a federal law that establishes national standards for how health plans, health care clearinghouses, and health care providers (“Covered Entities”) access, use, or disclose patient information called “Protected Health Information” or “PHI”. The national standards established under HIPAA may also extend to subcontractors that provide services to Covered Entities (“Business Associates”) or their subcontractors (“Business Associate Subcontractors”) and come into contact with PHI on their behalf. HIPAA is enforced by the US Department of Health and Human Services.
Smartsheet offers its customers subscription-based online services and applications (together, the “Subscription Services”) that are provided to eligible customers with additional security measures designed to allow customers to comply with their obligations under HIPAA. Smartsheet implements hardening and configuration requirements consistent in approach with SANS Institute, National Institute of Standards and Technology (NIST), and/or Center for Internet Security (CIS) recommendations, or successor standards widely used in the industry designed to allow you to comply with your obligations under HIPAA. Any data, file attachments, text, images, reports, personal information, or other content that you or your Users upload or submit to the online Services and that is processed by Smartsheet for or on your behalf is maintained in encrypted form (in transit and at rest). The data you submit to the online Services is protected from unauthorized access by security controls offering protection equivalent to logical segregation. Smartsheet has or will enter into business associate agreements with its subcontractors that process customer data, which enables you to store file attachments containing PHI in the Subscription Services in a manner that allows you to meet your HIPAA obligations. If you elect to integrate with or store attachments through a third party, you are solely responsible for ensuring the proper controls and agreements are in place. Smartsheet is data agnostic with respect to its treatment and the type or substance of the data that you submit to the Services. Smartsheet will only access or analyze the substance of your data (a) as requested by you to enable the provision of services or support; and (b) as necessary for Smartsheet to (i) comply with applicable law or legal proceedings, or (ii) investigate, prevent, or take action against suspected abuse, fraud, or violation of the Subscription Agreement.
Third Party Assessment Organization (3PAO)
Smartsheet uses third-party assessors (3PAOs) to verify the adequacy of its security measures surrounding the Subscription Services on an annual basis. This audit: (a) will include testing of the entire measurement period since the previous measurement period ended; (b) will be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) will be performed by independent third party security professionals at Smartsheet's selection and expense; and (d) will result in the generation of an audit report (“Audit Report”) with respect to the Subscription Services which will be made generally available by Smartsheet.
An Audit Report will be made available to you upon your written request and no more than once annually, subject to mutually agreed upon non-disclosure terms covering the Audit Report. For the avoidance of doubt, any such Audit Report made available to you will be Smartsheet’s confidential information.
In order to store PHI in the online Services, you must be on an Enterprise (excluding Legacy Enterprise) plan and have entered into Smartsheet’s Business Associate Agreement (“BAA”). Only Enterprise users have the ability to implement the features and functionality necessary to use Smartsheet in a manner that allows you to meet your obligations under HIPAA. If you determine that you require more detailed user auditing capabilities, it is recommended that you take advantage of Event Reporting or have access to Smartsheet Advance.
Shared Responsibility Model
Smartsheet employs a Software-as-a-Service (“SaaS”) shared-responsibility model between you and Smartsheet. Smartsheet is responsible for providing measures to our platform that allow you to meet your regulatory compliance requirements. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities as outlined in Figure 1 below. For specific control instructions and recommendations, please see the Customer Responsibility to Configure Security Settings section below.
You are responsible for determining whether a business associate agreement with Smartsheet is required and for ensuring that you and your Users use the Subscription Services in compliance with your obligations under HIPAA. This includes understanding and implementing the Smartsheet-provided customizable security controls you deem necessary to meet your HIPAA compliance obligations.
Customer Responsibility to Configure Security Settings
Smartsheet provides customizable settings designed to ensure that your data is secure. These settings are designed to ensure that any PHI you submit to the Subscription Services is used and/or accessed in accordance with your instructions and/or as permitted by the BAA between you and Smartsheet. The obligation to ensure that your use of the online Services allows you to meet your HIPAA obligations is solely your responsibility. Please see Configure Security Controls for an Enterprise Plan and other related Help Articles for further details and instructions.
The additional resources linked below, although not HIPAA-specific, may help you understand how the Subscription Service is designed with privacy, confidentiality, and availability of data in mind. You may also visit our Smartsheet for Healthcare page and contact our healthcare team to learn more.
This Help Article is for informational purposes only. Each Customer should independently evaluate its own use of the Subscription Services as appropriate to support its legal compliance obligations. SMARTSHEET MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.