Is Trello HIPAA compliant?
Trello is not HIPAA compliant and the platform cannot be used to receive, store, or share Protected Health Information due to a clause in Trello’s Terms of Services which prohibits customers using Trello to process sensitive personal information. However, provided the platform is not used to receive, store, or share PHI, Trello can help increase productivity.
Owned by Atlassian, Trello offers a range of tools that help to coordinate workflows, facilitate collaboration between co-workers, and automate specific tasks. Such project-management platforms are increasingly popular solutions across a variety of organizations, and they have great potential for use in the healthcare sector.
But before Trello is used to manage a project which includes the disclosure of PHI, covered entities must ensure Trello can be used in a HIPAA-compliant manner. This means the service must implement minimum security standards that ensure the safety, confidentiality, and accessibility of protected health information (PHI). This requirement is stipulated by the HIPAA Security Rule.
Without these minimum safeguards, PHI is vulnerable to access by unauthorized individuals, threatening the privacy of patients. Trello does implement some security measures, such as end-to-end encryption of data in transit. It regularly checks its product to assess how vulnerable it is to cyber-attacks and backs up data stored on its servers regularly.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The security of PHI held by product vendors is just one aspect of HIPAA compliance. Before a covered entity or business associate uses a product through PHI is collected, received, maintained, or disclosed, they must enter a business associate agreement (BAA) with its vendor. These agreements outline the responsibilities of the vendor, including how PHI will be used, who can access it, what happens in the event of a data breach, and what will happen to the PHI when the BAA is terminated. All of these stipulations, amongst others in the BAA, help to maintain patient privacy.
Trello is owned by Atlassian, and covered entities and businesses associates must enter into a BAA with Atlassian. Under its Terms of Service, Atlassian considers any “patient, medical, or other protected health information regulated by HIPAA” to be “Sensitive Personal Information”. Under the same Terms of Service, Atlassian states:
“You [sic] will not submit to the Cloud Products (or use the Cloud Products to collect) any Sensitive Personal Information unless its processing is expressly supported as a feature of the applicable Cloud Product in the applicable Documentation. Notwithstanding any other provision to the contrary, we have no liability under these Terms for Sensitive Personal Information submitted in violation of the foregoing.”
As Trello does not allow Sensitive Personal Information on its platform, Atlassian will not be able to enter into any BAAs covering the use of Trello. It is, therefore, not HIPAA compliant. However, Trello can be used by healthcare organizations so long as the information uploaded does not contain any PHI. If PHI is uploaded onto the platform, it is a violation of HIPAA (because no BAA is in place), and a violation of Atlassian´s Terms of Service that may result in the suspension of the service.
