Yes, Smartsheet is HIPAA compliant. Its security features meet HIPAA requirements, and the company is willing to sign a business associate agreement (BAA).
Smartsheet enables covered entities to store, access, and share protected health information (PHI). Its security and privacy services meet or exceed HIPAA’s regulatory requirements for protecting health data.
Customers can access the Smartsheet HIPAA Implementation Guide to learn how to properly configure Smartsheet for PHI. Covered entities must adjust specific features and security controls for HIPAA compliance. Security features include user access management, user auto-provisioning, activity monitoring, and sharing-control management.
Physical, administrative, and technical protections are available through Smartsheet security configurations. External auditors verify the security processes annually. Additionally, customers can request audit reports and penetration test reports.
Encryption protects data in transit and at rest. To transmit content securely, users should use the share function to send a link to a cloud-based document. Importing data and sending it through the attachment feature may put the security of PHI at risk.
HIPAA compliance applies to the main Smartsheet tools only. Add-ons such as partner apps may not meet HIPAA requirements. Covered entities should evaluate the security and privacy of each add-on before using it with PHI.
Smartsheet will sign a business associate agreement (BAA) for customers with an Enterprise plan. File attachments in Smartsheet are stored and managed through Amazon Web Services (AWS). In addition to signing a BAA with covered entities, Smartsheet also has a BAA in place with AWS.