Smartsheet has stated that it enables HIPAA compliance and that it’s willing to sign a business associate agreement (BAA).
Smartsheet enables covered entities to store, access, and share protected health information (PHI). Its security and privacy services appear to meet or exceed HIPAA’s regulatory requirements for protecting health data.
Customers can access the Smartsheet HIPAA Implementation Guide to learn how to properly configure Smartsheet for PHI. Covered entities should adjust specific features and security controls for HIPAA compliance. Security features include user access management, user auto-provisioning, activity monitoring, and sharing-control management.
Physical, administrative, and technical protections are available through Smartsheet security configurations. External auditors verify the security processes annually. Additionally, customers can request audit reports and penetration test reports.
Encryption protects data in transit and at rest. To transmit content securely, users should use the share function to send a link to a cloud-based document. Importing data and sending it through the attachment feature may put the security of PHI at risk.
Covered entities should evaluate the security and privacy of each Smartsheet add-on before using it with PHI.
File attachments in Smartsheet are stored and managed through Amazon Web Services (AWS). Smartsheet states that it has a BAA in place with AWS.
