Smartsheet offers collaborative software to healthcare professionals who want a single space to organize patient and practice data. However, as with any organization that handles protected health information (PHI) on behalf of a practice, it needs to be HIPAA compliant.
What is Smartsheet?
Smartsheet is a cloud-based collaborative work management platform that provides teams and organizations with an interface for managing various projects, tasks, and workflows. Smartsheet can be used across different industries and departments, offering multiple subscription plans and additional capabilities tailored to different legislative requirements, such as HIPAA.
Smartsheet and the business associate agreement
To be considered HIPAA compliant, business associates are required to sign a business associate agreement.
Since Smarthseet deals with sensitive PHI and offers its services to healthcare providers, it meets the requirements to be considered a business associate. They offer to sign a business associates agreement for users on the paid Enterprise subscription plan.
On their website, Smartsheet states that "In order to store PHI in the online Services, you must be on an Enterprise (excluding Legacy Enterprise) plan and have entered into Smartsheet's Business Associate Agreement ("BAA")."
Smartsheet and the shared responsibility model
Smartsheet operates under a shared responsibility model. This requires both Smartsheet and its customers to handle the responsibilities related to data security and regulatory compliance. While Smartsheet is responsible for providing the necessary measures and infrastructure within its platform to enable customers to meet regulatory compliance requirements, including HIPAA.
Smartsheets security involves incorporating protection, detection, and reaction capabilities to ensure the availability and security of customer data. On the other hand, customers are responsible for determining if a BAA is required, using the Subscription Services in compliance with HIPAA obligations, and configuring security settings appropriately. By adhering to this shared responsibility model, Smartsheet and its customers work together to maintain the security and privacy of data.
Smartsheet and third party assessment organizations
Smartsheet engages third-party assessors, known as Third Party Assessment Organizations (3PAOs), to conduct regular assessments and audits of its security measures surrounding the Subscription Services. These assessments are performed annually and aim to verify the adequacy of Smartsheet's security controls and practices.
The result of these assessments is the generation of an audit report, known as the Audit Report, which provides valuable insights into the security measures implemented by Smartsheet. While the Audit Report is not publicly available, Smartsheet may provide the report to eligible customers subject to mutually agreed-upon non-disclosure terms upon written request.
These third-party assessments contribute to Smartsheet's commitment to maintaining security controls and instilling confidence in its customers regarding the protection of their data.
Related: Preparing for an OCR HIPAA compliance audit
Conclusion
Smartsheet can be HIPAA compliant for Enterprise subscribers. They have a BAA available to Enterprise plan subscribers and implement encryption protocols, security policies, procedures, and audits to ensure continuous protection of patient data.
When considering the use of Smartsheet, users should consider the fact that there is a Shared responsibility approach taken to HIPAA compliance, which means you are responsible for signing the BAA and meeting HIPAA requirements within your own practice.
Related: HIPAA Compliant Email: The Definitive Guide
Kirsten Peremore
