Smartsheet has stated that it is HIPAA compliant and that it is willing to sign a business associate agreement (BAA).
Customers can access the Smartsheet HIPAA Implementation Guide to learn how to properly configure Smartsheet for PHI. Covered entities should adjust specific features and security controls for HIPAA compliance. Security features include user access management, user auto-provisioning, activity monitoring, and sharing-control management.
Physical, administrative, and technical protections are available through Smartsheet security configurations. External auditors verify the security processes annually. Additionally, customers can request audit reports and penetration test reports.
Encryption protects data in transit and at rest. To transmit content securely, users should use the share function to send a link to a cloud-based document. Importing data and sending it through the attachment feature may put the security of PHI at risk.
Covered entities should evaluate the security and privacy of each Smartsheet add-on before using it with PHI.
File attachments in Smartsheet are stored and managed through Amazon Web Services (AWS). Smartsheet states that it has a BAA in place with AWS.