Work management providers and HIPAA compliance: the ultimate guide

Featured image

Share this article

Man in business clothes points at paper with a pen while standing at a work desk with coffee cups and filing cabinets behind him

Healthcare organizations may not realize that the work management providers that they use need to be HIPAA compliant.

Work management providers are considered business associates if they contain protected health information (PHI). Anytime PHI is stored, transited, or accessed, it needs the proper safeguards in place to ensure adequate protection against unauthorized access.

As a business associate, work management providers have the same obligations as covered entities to protect PHI from cybercriminals or negligent employees. All business associates are required to sign a business associate agreement (BAA) that outlines their responsibilities and duties when they handle PHI.

Not all work management providers are willing to participate in a BAA though. They may also not even have the data security features to properly safeguard data under HIPAA guidelines. 

Covered entities will need to do their research and configure security settings to meet HIPAA security requirements. The cost of working with an unprotected business associate may lead to consequences like data breaches, corrective action plans, and heavy fines.

Work management providers best practices

Covered entities should consider the following best practices when determining which work management provider is best for them.

Now let’s review some popular work management providers and if they meet HIPAA security guidelines.

Asana

Asana is a cloud service that lets a team collaborate and communicate within the platform. In terms of HIPAA compliance, the company doesn’t offer a BAA to healthcare providers. It also doesn’t have the necessary safeguards to protect PHI. Asana is not HIPAA compliant for those reasons.

Beesbusy

Beesbusy is a work management provider that tracks employee time and the overall project process. The company website doesn’t mention any willingness to sign a BAA with covered entities, and it also doesn’t discuss what safeguards are in place to protect data. Beesbusy doesn’t meet HIPAA compliance standards.

ClickUp

ClickUp is another work management provider that can track project progress and automate tasks. The company does offer a BAA but only to covered entities on the highest-tier plan. Any other plan is not eligible for the BAA. ClickUp has several data security features including encryption at rest and in transit, two-factor authentication, and privileged access management. ClickUp can be HIPAA compliant.

Monday.com

Monday.com connects employees with workplace processes and tools. Covered entities can sign a BAA with Monday.com if they sign up for the Enterprise plan. All other plans can’t sign a BAA. Monday.com has numerous data security features including encryption at rest and in transit, password policies, two-factor authentication. Monday.com can be HIPAA compliant.

Nifty

Nifty can manage projects, tasks, and communication. But the company website doesn’t mention it is willing to participate in a BAA. The Terms of Service also openly admit that content “may be transferred unencrypted.” Without another alternative safeguard in place, Nifty doesn’t appear to meet HIPAA security standards. Nifty isn’t HIPAA compliant.

Smartsheet

Smartsheet is used for managing calendars, projects, and other work tasks. Smartsheet does offer a BAA but only to users on the Enterprise plan. Other lower-tiered plans aren’t eligible for signing a BAA. Smartsheet has data security features including TLS encryption, regular security testing, and firewalls. Smartsheet can be HIPAA compliant.

Trello

Trello is another work management provider that lets employees view tasks and progress on boards. Trello nor its acquirer, Atlassian, mentions any willingness to sign a BAA. Even if Trello does have the security features to protect PHI, it can’t be a HIPAA compliant provider without a BAA in place. Trello is not HIPAA compliant.

What are the best HIPAA compliant work management providers?

Based on the work management providers that were reviewed, a healthcare provider might consider choosing one of the following:

  • ClickUp
  • Monday.com
  • Smartsheet

All 3 providers are willing to sign a BAA on select plans. Healthcare organizations are ultimately responsible for ensuring that business associates meet HIPAA security guidelines. Covered entities may want to research if they are able to configure security settings to ensure their HIPAA compliance needs are met.

Don’t forget to use HIPAA compliant email

Your work management provider isn’t the only service that needs compliance with HIPAA. Your emails also need to protect PHI. Email poses a big risk to your healthcare organization since human error can often lead to ransomware infecting your network.

Paubox Email Suite is a HIPAA compliant email security solution. It automatically encrypts all emails that your employees send. You can directly communicate with patients in their inbox which can improve patient engagement.

Paubox is also easy for your employees to use since it can seamlessly integrate with popular email providers such as Google Workspace and Microsoft 365

Our HITRUST CSF certified software automatically includes a BAA, regardless of which plan you choose to use. 

Try Paubox Email Suite Plus for FREE today.
Author Photo

About the author

Sara Nguyen

Read more by Sara Nguyen

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022