Skip to main content
  • Smartsheet
      • Overview
        • Overview & benefits Learn why customers choose Smartsheet to empower teams to rapidly build no-code solutions, align across the entire enterprise, and move with agility to launch everyone’s best ideas at scale.
      • For your role or industry
        • Project management
          icon honest blue project management
          Plan projects, automate workflows, and align teams.
        • IT & Ops
          IT and Operations Icon
          Streamline operations and scale with confidence.
        • Marketing
          Marketing Campaigns Icon
          Align campaigns, creative operations, and more.
        • Construction
          Construction icon
          Streamline your construction project lifecycle.
        • Healthcare & Life sciences
          Healthcare icon
          Improve efficiency — and patient experiences.
        • Higher education
          education cap icon
          Maximize your resources and reduce overhead.
        • Financial services
          Finance
          Move faster, scale quickly, and improve efficiency.
        • Federal government
          Government icon
          Deliver results faster with Smartsheet Gov.
        • See all use cases
        • Customer Stories
          smartsheet customer logos
          See how our customers are building and benefiting.
        • Featured Customer Stories
          • Roche
          • McGraw Hill
          • Syngenta
        • Watch a demo
        • Contact sales
      • Overview
        • Smartsheet platform Learn how the Smartsheet platform for dynamic work offers a robust set of capabilities to empower everyone to manage projects, automate workflows, and rapidly build solutions at scale.
      • Capabilities
        • Team collaboration
          Collaboration Icon
          Connect everyone on one collaborative platform.
        • Workflow automation
          Workflow Automation Icon
          Quickly automate repetitive tasks and processes.
        • Content management
          icon honest blue pm methodologies
          Organize, manage, and review content production.
        • Portfolio management at scale
          Scaling icon
          Deliver project consistency and visibility at scale.
        • Secure request management
          trusted-secure
          Streamline requests, process ticketing, and more.
        • Integrations
          Data processing icon
          Work smarter and more efficiently by sharing information across platforms.
        • Streamlined business apps
          Workapps icon
          Build easy-to-navigate business apps in minutes.
        • Governance & administration
          Admin controls icon
          Configure and manage global controls and settings.
        • Intelligent workflows
          Bridge intelligent workflows icon
          Automate business processes across systems.
        • Resource management
          Resource Management Icon
          Find the best project team and forecast resourcing needs.
        • Digital asset management
          Brandfolder digital asset management icon
          Manage and distribute assets, and see how they perform.
        • See all capabilities
        • WorkApps
          Smartsheet Workapps
          Package your entire business program or project into a WorkApp in minutes. No-code required.
        • What’s up next New data insights and faster, easier ways to find and organize your work.
        • Integrations
          • Microsoft Teams
          • Slack
          • Adobe
          • See all integrations
        • Watch a demo
        • Contact sales
      • Overview
        • Enterprise See how you can align global teams, build and scale business-driven solutions, and enable IT to manage risk and maintain compliance on the platform for dynamic work.
        • Modern Project & Portfolio Management
          Connect projects with organization strategy. Ensure portfolio success and deliver impact at scale.
        • Marketing & Creative Management
          Marketing Campaigns Icon
          Manage campaigns, resources, and creative projects at scale.
        • Strategic Transformation
          Plan and implement change fast and mobilize resources to gain a competitive advantage.
        • The Forrester Wave™
          Collaborative Work Management Tools, Q4 2022
          Collaborative Work Management Tools, Q4 2022
        • The Forrester Wave™ Strategic Portfolio Management Tools, Q4 2020
        • 451 Research: Get Ahead of Change
        • Watch a demo
        • Contact sales
      • Learn
        • Learning Center
          learning center video icon
          Find tutorials, help articles & webinars.
        • Community
          community icon
          Find answers, learn best practices, or ask a question.
        • Smartsheet University
          Certification Icon
          Access eLearning, Instructor-led training, and certification.
      • Support
        • Help Center
          icon honest blue help
          Get answers to common questions or open up a support case.
        • Technical Support
          Blue support icon
          Get expert coaching, deep technical support and guidance.
      • SERVICES & PARTNERS
        • Professional Services
          Icon Supportive Green Manage Decision Makers
          Get expert help to deliver end-to-end business solutions.
        • Partners
          agreement partners icon
          Find a partner or join our award-winning program.
      • Additional Resources
        • Content Center
          blog icon
          Get actionable news, articles, reports, and release notes.
        • Events
          Events icon
          Explore upcoming events and webinars.
        • Solution Center
          Smartsheet integrations
          Move faster with templates, integrations, and more.
        • Report: Empowering Employees to Drive Innovation
        • Project Management Guide
        • Project Management Resource Collection
        • Get started with Smartsheet tutorial
        • Watch a demo
        • Contact sales
    • Pricing
    • Contact
    • Watch a demo
    • Select language
    • Log in
      • Watch a demo
      • Contact sales
    • Try Smartsheet for free
    • Select language
    • Open search
    • Log in

HIPAA Business Associate Agreement

    • User Agreement
    • Security Practices
    • Supplement
      • Customer: U.S. Government Entities
      • Customer: Non-Government Entity Using Smartsheet Gov
      • Customer: Educational Institutions
      • Service: Event Reporting
      • Service: Learning Services
      • Service: Bridge by Smartsheet
    • Service Level Agreement
    • Privacy Notice
      • General Privacy Notice
        • Personal Data We Collect
        • How We Use Personal Data
        • How We Share Personal Data
        • Blogs; Forums; Testimonials
        • Linked Sites; Third Party Widgets
      • General Privacy Notice Table
      • Offerings Privacy Notice
        • Scope
        • Personal Data We Collect
        • How We Use Personal Data
        • How We Share Personal Data
        • Integrations; Notifications; Forms; Linked Websites
        • Mobile Application; Geolocation Data
        • Choices Related to Your Use of the Offerings
      • Offerings Privacy Notice Table
      • Cookie Notice
        • What is a Cookie?
        • What are the Different Types of Cookies used by Smartsheet?
        • How Does Smartsheet Use Cookies?
        • What About Other Tracking Technologies?
        • Your Choices
        • Updating this Notice
        • How to Contact Us?
      • Candidate Privacy Notice
        • Personal Data We Collect
        • How We Use Personal Data
        • How We Share Personal Data
    • Data Processing Addendum
    • Subprocessors
    • Business Associate Agreement
    • Privacy FAQs
    • Mobile End-User License Agreement
    • Downloadable Software End User License Agreement
    • Developer Agreement
    • Terms and Conditions
    • Smartsheet Certified Candidate Agreement
    • Limits Policy
    • Acceptable Use Policy
    • Travel And Expense Policy
    • Site Terms
    • Report Abuse
    • Content Issues
    • Intellectual Property
    • Insurance Certificate
    • Code of Business Conduct and Ethics
    • UK Modern Slavery Act Statement
    • Australian Modern Slavery Act Statement

The information below is for review only. Should you wish to enter a BAA with Smartsheet, please contact our Sales team by clicking here.


This HIPAA Business Associate Agreement (“BAA”) is incorporated into and forms a part of the agreement between Smartsheet Inc. (“Smartsheet”) and the undersigned customer (“Customer”) that governs Customer’s access to and use of the Subscription Services (“Agreement”). This BAA is effective as of the date of the last signature below (the “BAA Effective Date”). 

 
1.   Applicability. Subject to the terms of the Agreement, this BAA sets forth each Party’s respective obligations under HIPAA regarding the Subscription Services. Customer assumes all responsibility for ensuring that its use of the Subscription Services is in accordance with its obligations under HIPAA, the Agreement, and this BAA. The Subscription Services’ features and functionality necessary for Customer to meet its HIPAA obligations are only available under Enterprise plans of the Subscription Services (but excluding Legacy Enterprise). Therefore, Customer must only upload or submit Customer PHI under an Enterprise Plan. If Customer downgrades from an Enterprise plan, Customer will remove any PHI previously uploaded or submitted to the Subscription Services prior to the downgrade. Further details can be found in Smartsheet’s HIPAA Help Article. 


2.   Definitions. Capitalized terms not defined herein have the meaning given in the Agreement. The following terms shall have the meanings as defined in HIPAA: “Breach,” “Business Associate,” “Covered Entity,” “Designated Record Set,” “Individual,” “Protected Health Information (PHI),” “Required By Law,” “Security Incident,” “Subcontractor,” “Unsecured PHI,” and “Workforce.”

“Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to the online Services by Customer or Users and is processed by Smartsheet on behalf of Customer. 

“Customer PHI” means PHI contained within Customer Content.    

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, including the HITECH Act. 

“HIPAA Help Article” means the informational article published by Smartsheet at help.smartsheet.com/articles/2476526 which provides information relevant to the functionality available to Customer for Customer to configure and use the Subscription Services consistent with Customer’s obligations under HIPAA.

“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. 

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of Division A and Title IV of Division B of the American Recovery & Reinvestment Act of 2009, and the regulations thereunder.  

“Parties” or “Party” means Customer and/or Smartsheet as applicable.

“Secretary” means the Secretary of the U.S. Department of Health and Human Services.

“Security Rule” means 45 CFR Part 160 and Subparts A and C of Part 164.

“Subscription Services” means the subscription-based online services and applications that are provisioned or controlled by Smartsheet. For the purposes of this BAA, Free Services and services and applications provided by third-parties, including Partner Apps, are not part of the Subscription Services and Customer is responsible for determining and implementing appropriate measures for the use of services and applications consistent with Customer’s obligations under HIPAA.

“User” means any individual permitted or invited by Customer or another User to access and use the Subscription Services available to Customer under an Order and the terms of this Agreement.  
 

3.     Roles of the Parties. 
 
3.1   The Parties agree that, with respect to this BAA: 

  • 3.1.1    Smartsheet is the Business Associate when Customer qualifies as a Covered Entity and engages Smartsheet to perform certain functions or activities on behalf of Customer that involve Smartsheet receiving, maintaining, or transmitting Customer PHI via the Subscription Services; and
  • 3.1.2    Customer is the Business Associate and Smartsheet is the Subcontractor when Customer is engaged to perform certain functions or activities on behalf of a third-party qualifying as a Covered Entity or Business Associate (each, a “HIPAA Third Party”) that involve Smartsheet receiving, maintaining, or transmitting the HIPAA Third Party’s PHI via the Subscription Services as Customer PHI.


4.     Smartsheet.

4.1   Smartsheet will not use or disclose Customer PHI other than as permitted or required by this BAA or as Required by Law. 
 
4.2   Smartsheet will use appropriate safeguards to comply with the Security Rule and to prevent use or disclosure of Customer PHI other than as provided for by this BAA. 
 
4.3   Smartsheet will provide written notice to Customer of a Breach or Security Incident (collectively referred to as a “Reportable Incident”) of which it becomes aware without undue delay. Notification will be sent to Customer pursuant to the notification requirements in the Agreement. 

  • 4.3.1    Smartsheet will investigate and, as necessary, mitigate or remediate a Reportable Incident in accordance with Smartsheet’s Reportable Incident policies and procedures (“Breach Management”).
  • 4.3.2    Smartsheet will provide Customer with information available to Smartsheet through its Breach Management, including the nature of the incident, specific information disclosed (if known), and any mitigation efforts or remediation measures (“Breach Information”), to allow Customer to comply with its obligations under HIPAA as a result of a Reportable Incident.

4.4   Smartsheet will ensure that its Subcontractors and Workforce engaged to perform Smartsheet’s obligations under this BAA that involve Customer PHI are bound by statutory obligation or a written agreement that includes appropriate provisions for receiving, maintaining, transmitting, or otherwise processing Customer PHI and is substantially as protective of Customer PHI as this BAA. Smartsheet is responsible for the acts and omissions of its Subcontractors and Workforce in relation to Smartsheet’s obligations under this BAA. 
 
4.5   Smartsheet will make Customer PHI in a Designated Record Set available to Customer via the Subscription Services in order for Customer to comply with its obligations to Individuals, including access, amendment, and accounting of disclosures of Customer PHI. Smartsheet will notify Customer in writing without undue delay of any confirmed requests Smartsheet receives directly from an Individual relating to Customer PHI. Customer will be solely responsible for identifying the relevant Designated Record Set and PHI and for complying with any request made by Individuals.

4.6   To the extent Required by Law, and subject to applicable attorney-client privileges and contractual obligations, Smartsheet will make its internal practices, books, and records concerning the use and disclosure of Customer PHI received from Customer or created or received by Smartsheet on behalf of Customer, available to the Secretary for the purpose of the Secretary determining compliance with the HIPAA Rules.

 
5.     Customer. 

5.1   Customer represents and warrants, on behalf itself and its Users, that it has all rights, permissions, and consents necessary to: (a) submit all Customer PHI to the Subscription Services; and (b) grant Smartsheet the limited rights to process Customer PHI as set forth herein.

5.2   Customer represents and warrants that Customer and its Users will comply with federal and state laws applicable to use or disclosure of Customer PHI, including HIPAA, in connection with the Subscription Services.

5.3   Customer will not use the Subscription Services to transmit PHI to or from a third-party except where Customer has entered into a separate HIPAA business associate agreement with such third-party. Smartsheet has no obligation to protect PHI under this BAA to the extent such PHI is created, received, maintained, or transmitted outside of the Subscription Services.

5.4   In connection with Customer’s use, management, and administration of the Subscription Services and its Users, Customer (and not Smartsheet) is responsible for: (a) periodically reviewing the HIPAA Help Article, which may be updated from time to time to account for changes in applicable law, reflect process improvements, or updated practices; (b) independently assessing, implementing, and enforcing available security configuration settings it deems necessary within the Subscription Services to support its compliance with HIPAA; and (c) managing which Users are authorized to create, receive, maintain, or transmit (including through sharing or distribution) Customer PHI. 

5.5   Customer will notify Smartsheet of any restrictions on the use or disclosure of Customer PHI that Customer has agreed to, including, if applicable, restrictions for which Customer must agree to, that may affect Smartsheet’s performance of its obligations under this BAA.
 

6.     Permitted Uses and Disclosures. 

6.1   Smartsheet may use and disclose Customer PHI: (a) as Required By Law; (b) as requested by Customer in writing or as allowed by Customer via the Subscription Services’ access controls; or (c) as specified in the Agreement or to prevent or address technical problems with the Services or violations of this BAA or the Agreement.  

6.2    Customer agrees to limit the amount of Customer PHI it uploads or submits to the Subscription Services consistent with such requirements under 45 CFR § 164.502(b). Smartsheet agrees to limit its use or disclosure of Customer PHI to the minimum amount allowed under this BAA.

6.3    Notwithstanding the foregoing permitted uses and disclosures, Smartsheet will not use or disclose Customer PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer, and Customer will not request any such violative use or disclosure by Smartsheet.
 

7.     Term and Termination. 

7.1   This BAA will terminate upon the earlier of: (a) a permitted termination as set forth herein; (b) the expiration or termination of the Agreement; or (c) the execution of a new Business Associate Agreement that supersedes this BAA.  

7.2   Upon expiration or termination of the period of authorized access and use of the Subscription Services, Smartsheet will return, allow read-only access to, or render unrecoverable Customer PHI, if any, according to the terms and conditions of the Agreement; provided that Smartsheet may retain Customer PHI contained in an archived computer system backup made in accordance with Smartsheet’s legal and financial compliance obligations or security and disaster recovery policies and procedures.  Any such retained Customer PHI will remain subject to the terms of this BAA and the applicable Agreement. 

7.3   A material breach of this BAA by either Party constitutes a material breach of the Agreement. In the event that Customer’s notice under Section 5.5 limits Smartsheet’s ability to process Customer PHI as set forth herein or Customer agrees to or must abide by restrictions or any other limitations on such ability, Smartsheet shall be permitted to terminate the Agreement without penalty by giving Customer five (5) business days’ written notice. Additionally, Smartsheet may suspend or terminate Customer’s use of the Subscription Services if it is made known to Smartsheet that Customer is not adequately protecting Customer PHI in accordance with Customer’s obligations under Section 5, which may include not making use of available features discussed in the HIPAA Help Article.
 

8.     General. 

8.1   Amendment; Waiver. Unless otherwise expressly stated herein, this BAA may be modified only by a written agreement executed by an authorized representative of each Party.  The waiver of any breach of this BAA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach.

8.2.  Severance. If any provision of this BAA is held to be unenforceable, then that provision is to be construed either by modifying it to the minimum extent necessary to make it enforceable (if permitted by law) or disregarding it (if not permitted by law), and the rest of this BAA is to remain in effect as written. Notwithstanding the foregoing, if modifying or disregarding the unenforceable provision would result in failure of an essential purpose of this BAA, the entire BAA will be considered null and void.

8.3.  Order of Precedence. Regarding the subject matter of this BAA, in the event of any conflict between this BAA and any other written agreement between the Parties (including the Agreement), this BAA will govern and control. Any business associate agreements that may already exist between Parties are superseded and replaced by this BAA in their entirety.

8.4   Notices. Unless otherwise provided for in this BAA, the Parties will provide notices under this BAA in accordance with the Agreement, provided that all such notices may be sent via email.

8.5   Governing Law and Jurisdiction. Except to the extent preempted by HIPAA, this BAA is governed by the laws stipulated in the Agreement and the Parties to this BAA hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this BAA. 

8.6.  Enforcement. Unless otherwise required by law: (a) only Customer will have any right to enforce any of the terms of this BAA against Smartsheet; and (b) Smartsheet’s obligations under this BAA, including any applicable notifications, will be only to Customer.

8.7.  Liability. As between the Parties to this BAA, each Party’s liability and remedies under this BAA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.

8.8.  Variations to HIPAA. If any variation is required to this BAA as a result of a change in HIPAA, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this BAA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Subscription Services and Smartsheet’s business operations. 

8.9   Reservation of Rights. Notwithstanding anything to the contrary in this BAA: (a) Smartsheet reserves the right to withhold information the disclosure of which would pose a security risk to Smartsheet or its customers or is prohibited by applicable law or contractual obligation; and (b) Smartsheet’s notifications, responses, or provision of information or cooperation under this BAA are not an acknowledgement by Smartsheet of any fault or liability.

 

Last Updated: November 18, 2021

 

Smartsheet
  • About Us
  • Leadership
  • Investors
  • Newsroom
  • Careers
  • Contact Us
  • Legal
  • Privacy
  • Trust Center
  • Developers & API
  • Help

©2023. All Rights Reserved Smartsheet Inc.

Facebook Twitter LinkedIn TikTok YouTube Instagram