Smartsheet is one of those nearly indispensable little tools that make life easier for companies trying to manage large projects involving many people, such as implementing a new Electronic Health Record system. The software allows task assignment and tracking, posting of updates, and aids collaboration and work management. Many users do agree that it’s pretty helpful, but is Smartsheet HIPAA compliant?
What Makes a Software Tool HIPAA Compliant?
When it comes to software, there are specific indications of the tool’s HIPAA compliance. Software HIPAA compliance really boils down to two things. Does the software have safeguards to keep patient data private and secure? Does the software provider sign business associate agreements?
When the answer to both of these questions is “yes,” the tool is likely HIPAA compliant. If the answer to either is “no,” the software tool is not HIPAA compliant.
What Are HIPAA Safeguards?
HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical.
Administrative safeguards are written policies and procedures that dictate PHI’s proper uses and disclosures.
Physical safeguards, such as locks and alarm systems, protect an organization’s physical location.
Technical safeguards are measures that protect electronic PHI (ePHI).
While administrative and physical safeguards are essential, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. Technical safeguards should include encryption, user authentication, access controls, and audit controls.
Why is a Business Associate Agreement Important?
Business associate agreements are a crucial determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant if it will not sign a business associate agreement (BAA).
Why?
A BAA is a legal agreement that requires each signing party to be HIPAA-compliant and be responsible for maintaining compliance. As such, a BAA limits the liability for both signing parties in case of a breach or OCR audit, as only the negligent party would be held culpable.
Is Smartsheet HIPAA Compliant?
So, is Smartsheet HIPAA compliant? Smartsheet operates on a Shared Responsibility Model of security, which means that the user is responsible for the privacy and security of data on their side of the cloud. Smartsheet clearly addresses the storage of PHI within its service:
“In order to store PHI in the online Services, you must be on an Enterprise (excluding Legacy Enterprise) plan and have entered into Smartsheet’s Business Associate Agreement (“BAA”). Only Enterprise users have the ability to implement the features and functionality necessary to use Smartsheet in a manner that allows you to meet your obligations under HIPAA.”
From that, we know Smartsheet does have a BAA and that only Enterprise users should store PHI within the service. They also sign BAAs with any subcontractors they may use for data integration or storage.
Smartsheet also says that they implement hardening as recommended by organizations like the National Institute of Standards and Technology (NIST), encrypt all data while active and at rest, and provide additional security controls equivalent to logical segregation.
Based upon all these factors, Smartsheet appears to be fully HIPAA compliant. Just remember that protecting your networks is still your responsibility.
