HIPAA Business Associate Agreement
The information below is for review only. Should you wish to enter a BAA with Smartsheet please contact our Sales team by clicking here.
This HIPAA Business Associate Agreement (“BAA”) is entered into by and between Smartsheet Inc., with its principal place of business located at 10500 NE 8th Street, Suite 1300, Bellevue WA 98004 (“Smartsheet”), and the undersigned customer (“Customer”). This BAA is effective on the date it is executed by Smartsheet (the “BAA Effective Date”).
1. Applicability. This BAA is subject to the terms of the Subscription Agreement (defined below). In the event of a conflict between the Subscription Agreement and this BAA, the BAA will control. A breach of this BAA by either party constitutes a material breach of the Subscription Agreement. Customer is obligated to notify Smartsheet if Customer downgrades its Subscription Service from an Enterprise level plan, and accordingly is no longer authorized to upload or submit PHI to the Subscription Service.
2. Definitions. For the purposes of this BAA, any capitalized terms not defined herein will have the meaning given to them in the Subscription Agreement. The following terms shall have the meanings as defined in HIPAA: “Breach”; “Security Incident”; “Protected Health Information (PHI)”, “Required By Law”; and “Individual”.
“Business Associate” has the same meaning as the term “business associate” at 45 CFR § 160.103, and in reference to the party to this BAA shall mean Smartsheet.
“CFR” means the U.S. Code of Federal Regulations.
“Covered Entity” has the same meaning as the term “covered entity” at 45 CFR § 160.103, and in reference to the party to this BAA shall mean Customer.
“Customer Content” means data, information, file attachments, text, images, reports, and other content that is uploaded or submitted to the Subscription Service by Customer or Customer Users and processed in the Subscription Service.
“Customer PHI” means PHI contained within Customer Content.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended (including with respect to the HITECH Act).
“HIPAA Implementation Guide” means the informational guide made available by Smartsheet, at www.smartsheet.com/HIPAA-Implementation-Guide describing how Customer can configure and use the Subscription Service consistent with Customer’s obligations under HIPAA.
“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of Division A and Title IV of Division B of the American Recovery & Reinvestment Act of 2009 (“ARRA”), and the regulations thereunder, as amended.
“Independent Contractor” means a non-employee worker who performs services on behalf of Smartsheet subject to Smartsheet’s privacy and security policies.
“Secretary” means the Secretary of the U.S. Department of Health and Human Services.
“Security Rule” means 45 CFR Part 160 and Subparts A and C of Part 164.
"Subcontractor" means any person (including any third party, but excluding Independent Contractors of Smartsheet) appointed by or on behalf of Smartsheet to process Customer PHI in connection with the Subscription Agreement.
“Subscription Agreement” means the applicable agreement governing Customer’s access and use of the Subscription Service.
“Subscription Service” means Smartsheet’s internet-delivered work collaboration services and applications as such term is defined in the Subscription Agreement. For purposes of this BAA, Training Services, Free Services, and services and applications provided by third-parties, including Partner Apps, are not part of the Subscription Service and Customer is responsible for determining and implementing appropriate measures for the use of services and applications consistent with Customer’s obligations under HIPAA.
“Unsecured PHI” has the same meaning as the term “unsecured protected health information” at 45 CFR § 164.402.
3. Obligations of Smartsheet.
3.1 Smartsheet agrees to not use or disclose Customer PHI other than as permitted or required by this BAA or as Required by Law.
3.2 Smartsheet agrees to use appropriate safeguards to comply with the Security Rule with respect to Customer PHI, to prevent use or disclosure of Customer PHI other than as provided for by this BAA, and to reasonably and appropriately protect the confidentiality, integrity, and availability of the Customer PHI that it processes on behalf of Customer as required by the Security Rule.
3.3 Smartsheet agrees to mitigate, to the extent practicable, any harmful effects known to Smartsheet resulting from an unauthorized use or disclosure of Customer PHI by Smartsheet in violation of this BAA’s requirements.
3.4 Smartsheet agrees to the following Breach notification requirements:
a. In the event of a Breach or Security Incident involving Customer PHI (collectively referred to as a “Reportable Incident”) of which Smartsheet becomes aware, Smartsheet will provide notice to Customer of such Reportable Incident without undue delay, but in no case more than thirty (30) days following Smartsheet’s knowledge of such Reportable Incident. Notification will be (i) consistent with applicable law and the legitimate needs of law enforcement, and after taking any measures necessary to determine the scope of the Reportable Incident; and (ii) sent to Customer’s SysAdmin through the Subscription Service or via direct communication pursuant to the notification requirements in the Subscription Agreement.
b. Customer acknowledges that Smartsheet routinely experiences, without limitation, pings and other broadcast attacks on Smartsheet’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, that do not result in unauthorized access, use, disclosure, modification, or destruction of Customer Content, including Customer PHI, or interference with the general operation of Smartsheet’s systems or the Subscription Service (“Unsuccessful Attempts”). The parties acknowledge and agree that this Section 3.4(b) constitutes notice by Smartsheet to Customer of the ongoing existence and occurrence of Unsuccessful Attempts for which no additional notice to Customer shall be required.
3.5 Smartsheet will take appropriate measures to ensure that Subcontractors and Independent Contractors are bound by substantially the same restrictions, conditions, and requirements as Smartsheet under this BAA. To the extent Smartsheet uses Subcontractors and Independent Contractors in its performance of obligations hereunder, Smartsheet will remain responsible for their performance as described in the Subscription Agreement.
3.6 Smartsheet will make Customer PHI in a Designated Record Set available to Customer in order for Customer to comply with its obligations with 45 CFR § 164.524, it being understood that Customer will be solely responsible for identifying the relevant Designated Record Set and PHI and for complying with any request made by individuals under 45 CFR § 164.524.
3.7 Smartsheet will make Customer PHI in a Designated Record Set available to Customer for amendment in order for Customer to comply with its obligations with 45 CFR § 164.526, it being understood that Customer will be solely responsible for identifying the relevant Designated Record Set and PHI and making any necessary amendments to comply with any request made by individuals under 45 CFR § 164.526.
3.8 Smartsheet will maintain and make available information necessary for Customer to provide an accounting of disclosures of Customer PHI in accordance with 45 CFR § 164.528, it being understood that Customer will be solely responsible for identifying the relevant individuals and associated PHI and for complying with any request made by individuals under 45 CFR § 164.528. Smartsheet is not responsible for providing an accounting of disclosures made by Customer while using the Services.
3.9 To the extent Required by Law, and subject to applicable attorney-client privileges, Smartsheet will make its internal practices, books, and records concerning the use and disclosure of Customer PHI received from Customer or created or received by Smartsheet on behalf of Customer, available to the Secretary for the purpose of the Secretary determining compliance with the HIPAA Rules.
4. Permitted Uses and Disclosures.
4.1 By Smartsheet: Smartsheet may use and disclose Customer PHI:
a. to perform the services as specified in the Subscription Agreement;
b. as Required by Law; and
c. for the proper management and administration of Smartsheet’s business and to carry out the legal responsibilities of Smartsheet, provided that any disclosure of Customer PHI for such purposes may only occur if (i) required by applicable law; or (ii) Smartsheet obtains reasonable written assurances from the person to whom Customer PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Smartsheet will be notified in the event of an unauthorized disclosure.
4.2 Minimum Necessary. Smartsheet agrees to limit uses and disclosures of Customer PHI consistent with minimum necessary requirements under 45 CFR § 164.502(b).
4.3 Limitations. Smartsheet may not use or disclose Customer PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer.
5. Obligations of Customer.
5.1. Customer warrants that Customer, its directors, officers, subcontractors, employees, affiliates, agents, and representatives:
a. will comply with HIPAA in its use or disclosure of Customer PHI;
b. will not use or disclose Customer PHI in any manner that violates applicable federal and state laws;
c. will not request that Smartsheet use or disclose Customer PHI in any manner that would violate applicable federal and state laws if such use or disclosure were done by Customer; and
d. will not use the Subscription Service to create, receive, maintain or transmit PHI using a Connector or third-party application (including Partner Apps), except where Customer has expressly entered into separate HIPAA business associate agreement with said third-party service providers.
5.2 In connection with Customer’s management and administration of the Subscription Service with respect to Customer Users, Customer is responsible for using the available controls within the Subscription Service to support its compliance with HIPAA, including reviewing the HIPAA Implementation Guide and enforcing appropriate controls.
5.3 Customer shall use measures and controls available within the Subscription Service to ensure: (a) that non-HIPAA compliant functionality is disabled for all Customer Users who use the Subscription Service in connection with Customer PHI; and (b) use of Customer PHI is appropriately limited to the minimum extent necessary for Customer to carry out its authorized use of such PHI, except as otherwise allowed by 45 CFR 164.502(b)(2).
5.4 Customer (and not Smartsheet) is responsible for: (a) managing whether Customer Users are authorized to create, receive, maintain, or transmit PHI within the Subscription Service; and (b) for sharing or distribution of PHI by Customer Users who are utilizing the sharing features within the Subscription Service. Smartsheet has no obligation to protect Customer PHI under this BAA to the extent such PHI is created, received, maintained, or transmitted outside of the Subscription Services.
5.5 Customer will notify Smartsheet of: (a) any limitation(s) in the notice of privacy practices under 45 CFR § 164.520, to the extent that such limitation may affect Smartsheet’s use or disclosure of Customer PHI; (b) any changes in, or revocation of, the permission granted by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Smartsheet’s use or disclosure of Customer PHI; and (c) any restriction on the use or disclosure of Customer PHI that Customer has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Smartsheet’s use or disclosure of Customer PHI.
5.6 In the event that Customer’s notice of privacy practices as described in Customer’s patient privacy notification limits Smartsheet’s ability to process Customer PHI as set forth herein or Customer agrees to or must abide by restrictions or any other limitations on such ability, Smartsheet shall be permitted to terminate the Subscription Agreement without penalty by giving Customer three (3) days written notice. Smartsheet may suspend or terminate Customer’s use of the Subscription Service if it is made known to Smartsheet that Customer is not adequately making use of the features discussed in the HIPAA Implementation Guide. The provisions of this Section shall survive the termination of this BAA.
6. Term and Termination.
6.1 This BAA will terminate upon the earlier of: (a) a permitted termination as set forth herein; (b) the expiration or termination of the Subscription Agreement; or (c) the execution of a business associate agreement that supersedes this BAA. Upon termination of this BAA for any reason, Customer must immediately (x) delete or remove any Customer PHI from the Subscription Service, and (y) cease to create, receive, maintain, or transmit PHI via the Subscription Service.
6.2 Upon expiration or termination of the period of authorized access and use of the Subscription Service, Smartsheet will return, allow read-only access to or render unrecoverable Customer PHI, if any, according the terms and conditions of the applicable Subscription Agreement; provided that Smartsheet may retain Customer PHI contained in an archived computer system backup made in accordance with the Smartsheet’s legal and financial compliance obligations or security and disaster recovery procedure. Any such retained Customer PHI will remain subject to the terms of this BAA and the applicable Subscription Agreement.
7. Entire Agreement. This BAA constitutes the entire agreement between the parties related to the subject matter hereof. Except as expressly modified or amended under this BAA, the terms of the Subscription Agreement remain in full force and effect. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provisions of this BAA, or any part thereof, is found to be invalid, the remaining provisions shall remain in effect. For the avoidance of doubt, except as otherwise expressly set forth herein, the terms and conditions with respect to the parties’ limitations of liability and indemnification obligations are set forth in the Subscription Agreement.
8. General. The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the HIPAA Rules, HIPAA, the HITECH, and any other applicable law. The respective rights and obligations of Smartsheet under Section 6 of this BAA shall survive the termination of this BAA. Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same laws as those governing the Subscription Agreement. Any reference in this BAA to a section in the HIPAA Rules shall mean the section as in effect or as amended.
Last Updated: August 13, 2019