Is Smartsheet HIPAA Compliant?
There are many different types of project management platforms available for Covered Entities and Business Associates to manage workflows, but are project management platforms such as Smartsheet HIPAA compliant?
Smartsheet is a Software-as-a-Service project management platform Covered Entities and Business Associates can use to assign tasks, track progress, manage calendars, and share documents. It is an effective solution for facilitating collaboration between workforce members; but, when any collaboration involves uses and disclosures of PHI, it is important PHI is protected.
The HIPAA Security Rule details how PHI should be protected while in use, in transit, or at rest; and – via its Enterprise Plan – Smartsheet provides the necessary security controls for Covered Entities and Business Associates to comply with the Security Rule standards. However, Covered Entities and Business Associates are responsible for configuring the security controls correctly.
The Smartsheet Business Associate Agreement
In order to make Smartsheet HIPAA compliant, Covered Entities and Business Associates must also enter into a Business Associate Agreement with Smartsheet Inc. Smartsheet provides a draft HIPAA Business Associate Agreement that Covered Entities and Business Associates are advised to review and amend as necessary to meet their individual requirements.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Although the Business Associate Agreement is comprehensive, some Covered Entities and Business Associates may have issues with certain clauses. For example, the clause relating to “Term and Termination” suggests Smartsheet can retain PHI beyond the termination of the Agreement. This may contradict the Organizational Requirements of the Privacy Rule depending on the organization´s interpretation of “feasible” in 45 CFR §164.504(e)(2)(ii)(J).
Consequently, it is recommended that Covered Entities and Business Associates take legal advice before entering into a Business Associate Agreement with Smartsheet, and agree to whatever changes are necessary to the draft Business Associate Agreement to ensure both they and Smartsheet are HIPAA compliant.
Conclusion: Is Smartsheet HIPAA Compliant? It Can Be – at a Price!
Smartsheet´s HIPAA Guide can be a great help to Covered Entities and Business Associates looking to find out if Smartsheet is HIPAA compliant as it lists the security responsibilities of each party and provides an illustrated Shared Responsibility Model for compliance officers to review. The Guide also explains how compliance officers can obtain copies of Smartsheet´s security audit to assist with due diligence efforts.
Importantly, the Guide emphasizes the customer´s responsibility to configure the security settings to use Smartsheet in compliance with HIPAA. System administrators familiar with HIPAA-compliant software will not find these settings too challenging, but it is worth looking at what is involved before reviewing the draft Business Associate Agreement to see if it is suitable for the organization´s requirements or needs revisions.
Finally, in order to use Smartsheet in compliance with HIPAA, it is necessary for organizations to subscribe to the Enterprise Plan. This is the most expensive of Smartsheet´s options and includes multiple features that may never be used – but still paid for. Consequently, although Smartsheet can be HIPAA compliant, Covered Entities and Business Associates may wish to consider more cost-effective project management platforms.
