Why is a Business Associate Agreement Important?
Business associate agreements are a crucial determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant if it will not sign a business associate agreement (BAA).
A BAA is a legal agreement that requires each signing party to be HIPAA-compliant and be responsible for maintaining compliance. As such, a BAA limits the liability for both signing parties in case of a breach or OCR audit, as only the negligent party would be held culpable.
Is Smartsheet HIPAA Compliant?
So, is Smartsheet HIPAA compliant? Smartsheet operates on a Shared Responsibility Model of security, which means that the user is responsible for the privacy and security of data on their side of the cloud. Smartsheet clearly addresses the storage of PHI within its service:
“In order to store PHI in the online Services, you must be on an Enterprise (excluding Legacy Enterprise) plan and have entered into Smartsheet’s Business Associate Agreement (“BAA”). Only Enterprise users have the ability to implement the features and functionality necessary to use Smartsheet in a manner that allows you to meet your obligations under HIPAA.”
From that, we know Smartsheet does have a BAA and that only Enterprise users should store PHI within the service. They also sign BAAs with any subcontractors they may use for data integration or storage.
Smartsheet also says that they implement hardening as recommended by organizations like the National Institute of Standards and Technology (NIST), encrypt all data while active and at rest, and provide additional security controls equivalent to logical segregation.
Based upon all these factors, Smartsheet appears to be fully HIPAA compliant. Just remember that protecting your networks is still your responsibility.