Skip to main content
  • Smartsheet
      • Overview
        • Overview & benefits Learn why customers choose Smartsheet to empower teams to rapidly build no-code solutions, align across the entire enterprise, and move with agility to launch everyone’s best ideas at scale.
      • For your role or industry
        • Project management
          icon honest blue project management
          Plan projects, automate workflows, and align teams.
        • IT & Ops
          IT and Operations Icon
          Streamline operations and scale with confidence.
        • Marketing
          Marketing Campaigns Icon
          Align campaigns, creative operations, and more.
        • Construction
          Construction icon
          Streamline your construction project lifecycle.
        • Healthcare & Life sciences
          Healthcare icon
          Improve efficiency — and patient experiences.
        • Higher education
          education cap icon
          Maximize your resources and reduce overhead.
        • Financial services
          Finance
          Move faster, scale quickly, and improve efficiency.
        • Federal government
          Government icon
          Deliver results faster with Smartsheet Gov.
        • See all use cases
        • Customer Stories
          smartsheet customer logos
          See how our customers are building and benefiting.
        • Featured Customer Stories
          • Roche
          • McGraw Hill
          • Syngenta
        • Watch a demo
        • Contact sales
      • Overview
        • Smartsheet platform Learn how the Smartsheet platform for dynamic work offers a robust set of capabilities to empower everyone to manage projects, automate workflows, and rapidly build solutions at scale.
      • Capabilities
        • Team collaboration
          Collaboration Icon
          Connect everyone on one collaborative platform.
        • Workflow automation
          Workflow Automation Icon
          Quickly automate repetitive tasks and processes.
        • Content management
          icon honest blue pm methodologies
          Organize, manage, and review content production.
        • Portfolio management at scale
          Scaling icon
          Deliver project consistency and visibility at scale.
        • Secure request management
          trusted-secure
          Streamline requests, process ticketing, and more.
        • Integrations
          Data processing icon
          Work smarter and more efficiently by sharing information across platforms.
        • Streamlined business apps
          Workapps icon
          Build easy-to-navigate business apps in minutes.
        • Governance & administration
          Admin controls icon
          Configure and manage global controls and settings.
        • Intelligent workflows
          Bridge intelligent workflows icon
          Automate business processes across systems.
        • Resource management
          Resource Management Icon
          Find the best project team and forecast resourcing needs.
        • Digital asset management
          Brandfolder digital asset management icon
          Manage and distribute assets, and see how they perform.
        • See all capabilities
        • WorkApps
          Smartsheet Workapps
          Package your entire business program or project into a WorkApp in minutes. No-code required.
        • Developers & API
        • Integrations
          • Microsoft Teams
          • Slack
          • Adobe
          • See all integrations
        • Watch a demo
        • Contact sales
      • Overview
        • Enterprise See how you can align global teams, build and scale business-driven solutions, and enable IT to manage risk and maintain compliance on the platform for dynamic work.
        • PPM
          Project management icon
          Explore modern project and portfolio management.
        • Marketing
          Marketing Campaigns Icon
          Manage campaigns, resources, and creative at scale.
        • The Forrester Wave™
          Collaborative Work Management Tools, Q4 2022
          Collaborative Work Management Tools, Q4 2022
        • The Forrester Wave™ Strategic Portfolio Management Tools, Q4 2020
        • 451 Research: Get Ahead of Change
        • Watch a demo
        • Contact sales
      • Learn
        • Learning Center
          learning center video icon
          Find tutorials, help articles & webinars.
        • Community
          community icon
          Find answers, learn best practices, or ask a question.
        • Smartsheet University
          Certification Icon
          Access eLearning, Instructor-led training, and certification.
      • Support
        • Help Center
          icon honest blue help
          Get answers to common questions or open up a support case.
        • Technical Support
          Blue support icon
          Get expert coaching, deep technical support and guidance.
      • SERVICES & PARTNERS
        • Professional Services
          Icon Supportive Green Manage Decision Makers
          Get expert help to deliver end-to-end business solutions.
        • Partners
          agreement partners icon
          Find a partner or join our award-winning program.
      • Additional Resources
        • Content Center
          blog icon
          Get actionable news, articles, reports, and release notes.
        • Events
          Events icon
          Explore upcoming events and webinars.
        • Solution Center
          Smartsheet integrations
          Move faster with templates, integrations, and more.
        • Report: Empowering Employees to Drive Innovation
        • Project Management Guide
        • Project Management Resource Collection
        • Get started with Smartsheet tutorial
        • Watch a demo
        • Contact sales
    • Pricing
    • Contact
    • Watch a demo
    • Select language
    • Log in
      • Watch a demo
      • Contact sales
    • Try Smartsheet for free
    • Select language
    • Open search
    • Log in

HIPAA Implementation Guide

    • User Agreement
    • Security Practices
    • Agreement Supplement
      • Customer: U.S. Government Entities
      • Customer: Non-Government Entity Using Smartsheet Gov
      • Customer: Educational Institutions
      • Service: Event Reporting
      • Service: Learning Services
      • Service: Bridge by Smartsheet
    • Service Level Agreement
    • Privacy Notice
      • General Privacy Notice
        • Personal Data We Collect
        • How We Use Personal Data
        • How We Share Personal Data
        • Blogs; Forums; Testimonials
        • Linked Sites; Third Party Widgets
      • General Privacy Notice Table
      • Offerings Privacy Notice
        • Scope
        • Personal Data We Collect
        • How We Use Personal Data
        • How We Share Personal Data
        • Integrations; Notifications; Forms; Linked Websites
        • Mobile Application; Geolocation Data
        • Choices Related to Your Use of the Offerings
      • Offerings Privacy Notice Table
      • Cookie Notice
        • What is a Cookie?
        • What are the Different Types of Cookies used by Smartsheet?
        • How Does Smartsheet Use Cookies?
        • What About Other Tracking Technologies?
        • Your Choices
        • Updating this Notice
        • How to Contact Us?
      • Candidate Privacy Notice
        • Personal Data We Collect
        • How We Use Personal Data
        • How We Share Personal Data
    • Data Processing Addendum
    • Subprocessors
    • Business Associate Agreement
    • Privacy FAQs
    • Mobile End-User License Agreement
    • Downloadable Software End User License Agreement
    • Developer Agreement
    • Terms and Conditions
    • Smartsheet Certified Candidate Agreement
    • Limits Policy
    • Acceptable Use Policy
    • Travel And Expense Policy
    • Site Terms
    • Report Abuse
    • Content Issues
    • Intellectual Property
    • Insurance Certificate
    • Code of Business Conduct and Ethics
    • UK Modern Slavery Act Statement
    • Australian Modern Slavery Act Statement

This page is kept for historical purposes. For up-to-date information regarding Smartsheet and HIPAA, please visit our HIPAA Help Article.


 

The Health Insurance Portability and Accountability Act (“HIPAA”), as amended, including the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, is a United States law that applies to companies and other entities involved in the healthcare industry that may have access to patient information (called “Protected Health Information”, or “PHI”).

This Smartsheet HIPAA Implementation Guide is intended for security officers, compliance officers, IT administrators, and other employees in organizations who are responsible for HIPAA implementation and compliance. This guide will allow intended users to implement the features and functionality necessary to use Smartsheet in a HIPAA-compliant manner.  Such features and functionality are only available to Enterprise (excluding Legacy Enterprise) plan users of the Smartsheet collaborative work management platform; there is no  HIPAA-specific Smartsheet product or service.  A BAA (defined below) entered with Smartsheet will apply to all Customer plans; all plans (if more than one) will be identified by Smartsheet as being used by Customer in a HIPAA-compliant manner and must be purchased at the Enterprise (excluding Legacy Enterprise) level. 

Any capitalized terms used herein but not defined shall have the definitions assigned under HIPAA or the agreement governing use of the Smartsheet collaborative work management platform (“Subscription Agreement”).

SHARED RESPONSIBILITY MODEL.

Smartsheet employs a shared-responsibility model between the Customer and Smartsheet. Smartsheet will provide physical, organizational, and technical controls designed to ensure the security, integrity, and confidentiality of Customer Content.  

Customer is responsible for determining if it is  a Covered Entity or Business Associate under HIPAA (and whether a business associate agreement with Smartsheet is required) and for ensuring that it  uses Smartsheet’s Subscription Service in compliance with HIPAA. Smartsheet customers who are subject to HIPAA and wish to use the Subscription Service with PHI must sign a Smartsheet Business Associate Agreement (BAA).

Customer is also responsible for its Customer Content; responsibilities may include fulfilling an individual’s right of access, amendment, and accounting in accordance with the requirements under HIPAA. Any requests received by Smartsheet regarding PHI shall be referred to Customer. Smartsheet will provide support as appropriate to Customer to facilitate Customer’s response to the request.

STORING PHI AS CUSTOMER CONTENT.

All Customer Content stored utilizing the Subscription Service is maintained in encrypted form (in transit and at rest). Customer Content is protected from unauthorized access by security controls offering protection equivalent to logical segregation. Smartsheet has a business associate agreement with Amazon Web Services (AWS) enabling Customers to store file attachments in the Subscription Service in a HIPAA-compliant manner. If Customer elects to store attachments through a third party (i.e., Box), Customer is solely responsible for ensuring the proper business associate agreements are in place. Smartsheet does not access Customer Content except: (a) as requested by Customer to enable the provision of customer support; and (b) as necessary for Smartsheet to (i) comply with applicable law or legal proceedings, or (ii) investigate, prevent or take action against suspected abuse, fraud or violation of the Subscription Agreement.

USING SMARTSHEET WITH PHI.

Smartsheet provides customizable settings to ensure that Customer Content is secure, used, and accessed in accordance with Customer’s requirements and as permitted by the BAA between Smartsheet and Customer. Please note that Add-Ons are NOT part of the underlying Subscription Service for purposes of the BAA or this guide and Smartsheet makes NO representations that implementation or use of Add-Ons is compliant with HIPAA. The obligation to ensure HIPAA compliance for Customer’s use of Smartsheet is Customer’s responsibility.  Some actionable recommendations to help Customer address specific concerns within the Subscription Service for HIPAA compliance include:

Providing Customer Users Information. Customers may create a landing page that is visible to Customer Users. This landing page can contain information and reminders to Customer Users for the proper use and management of Customer Content to maintain HIPAA-compliance. If you would like assistance in developing a landing page for your employees, your SysAdmin(s) can contact the Smartsheet representative assigned to your account, although Professional Services fees may apply. Please see “Customizing a Welcome Message & Upgrade Screen” for more information.

Managing Access. Customers are responsible for managing login credentials for Customer Users and ensuring that Customer User passwords (determined by Customer Users) meet complexity standards and rotate in a timely manner. Customer must also safeguard Customer User identities and credentials (names, email addresses, and/or passwords) and workstations that can be used to gain access to PHI hosted in their Subscription Service. Customer agrees to promptly notify Smartsheet of any unauthorized access or use of which Customer becomes aware. If Customer wishes to utilize single sign-on, Smartsheet shall, in its provision of the Subscription Service to Customer, support SAML SSO 2.0, and continue to support successor versions of SAML SSO. Please see “Configuring SAML 2 for Single Sign‐On to Smartsheet” for further details and instruction on how to utilize the single-sign-on feature. Please see “Viewing Login History” and “Managing Authentication Options”  for further details and instructions on how to monitor login and access to the Subscription Service.

Managing Customer Users. Customer’s assigned SysAdmin(s) will have the ability, and the responsibility, to limit Customer User access to sheets, reports, and sights containing PHI. Please see “Security Controls” for further details and instructions on how to utilize the SysAdmin(s) control features. To manage Customer User access to different sheets in the Subscription Service, SysAdmin(s) will be responsible for creating separate workspaces, which serve to organize sheets, reports, templates and sub-folders. Please see “Managing Users in a Team, Business, or Enterprise Plan” and “Workspaces Overview” for further details and instruction on how to utilize the workspace environment.  Customer can ensure that Customer Users only use accounts under an Enterprise plan by setting up auto-provisioning, which will control the creation of accounts under Customer’s domain. Please see “User Auto-Provisioning” for further details and instruction on how SysAdmin(s) can ensure accounts are created under the correct Enterprise plan.

Transferring Customer Users and Content.  Customer Users may be invited to join other plans, or request to transfer to other plans. If a Customer User transfers from Customer’s plan to another plan, any sheets “owned” by that Customer User will also be transferred. Customer’s SysAdmin(s) has the ability to request, accept, or deny the transfer of Customer Users to or from Customer’s plan. Customer is solely responsible for managing all transfers of Customer Content enabled by the Subscription Service, including any transfer of Customer Content between plans.  Accordingly, SysAdmin(s) may need to restrict the transfer of Customer Users (and/or their Customer Content) between plans to ensure that PHI is not transferred to a plan without the appropriate HIPAA controls in place. Please see “Removing Users” for further details and instruction on removing access and transfer of sheets.

Managing Sharing Controls. Through customizing workspaces, SysAdmin(s) will have the ability to determine which sheets, reports, and sights can be shared and published and which items cannot (i.e., those sheets containing PHI). Please see “Publishing Smartsheet Items,” “Sharing Sheets,”  “Sharing Permission Levels,” and the Publish Options section in “Global Account Settings”  for further details and instruction on how to utilize the sheet sharing functionality. SysAdmin(s) will also have the ability to control which domains Customer Users will be able to share sheets, reports, and sights to. SysAdmin(s) will need to set up an approved domain sharing list to limit Customer Users’ sharing abilities. Please see “Security Controls” for further details and instructions on how to utilize domain sharing options.

Monitoring Activity. In addition to the login monitoring described above, licensed SysAdmin(s) and Customer Users will have the ability to monitor sheets through the activity log and cell history. Customer Users have the ability to add a last modified date column to sheets for the purposes of monitoring the age of PHI in sheets. For the avoidance of doubt, it is Customer’s, not Smartsheet’s, responsibility to comply with HIPAA data retention requirements. Please see “Track History Changes Made to a Sheet with Activity Log,” “Viewing Login History,” and “Viewing Cell History”  for further details and instructions on how to utilize monitoring activity features available in Smartsheet. Please see “Column Types” for further details and instruction on how to utilize the modified date column. Alternatively, Customer can, through the use of the single-sign-on feature, create a landing page within their own domain (<CNAME_URL?>) where they can include a message to Users to regarding Customer’s guidelines for using the Subscription Service, procedures for requesting an account, and any additional information relating to their HIPAA-compliance.

LIMITATIONS ON USE.  

Allowing Patients to Access Smartsheet. Customers should not use the Subscription Service in a manner where patients create user accounts or are collaborators to Customer sheets. If a Customer would like to obtain data from a patient it should be done through the use of a Form. Please see “Make Forms to Collect Information in Your Sheet” for further details and instructions on how to utilize Forms to collect information.

Transmitting Content. If a SysAdmin(s) allows Customer Users to share PHI within the Subscription Service, Customer Users should only use the share function, which merely sends links to sheets.  Customer Users should not use the send attachment feature, which imports sheet data into a PDF or Excel file for transfer. Smartsheet encrypts the communications between Users, but the attachments themselves are NOT similarly protected. Customer Users who wish to email PHI may export the data into a separate document and email the document through their normal company transmission protocols.

Use of Add-Ons. Customers are responsible for ensuring that appropriate HIPAA-compliant measures are in place with respect to any Add-Ons (including Connectors and Partner Apps) before sharing or transmitting PHI. Customers are solely responsible for determining if they require a BAA or any other data protections with a third party before sharing PHI using the Subscription Service or any applications that integrate with the Subscription Service.  In addition, Smartsheet recommends that Customers DO NOT use Labs Apps when working with PHI. Labs Apps are pre-release features and any use of Labs Apps with or without PHI is at Customer’s sole risk and responsibility.  

SECURITY PRACTICES AND REPORTS.

Security Practices. Smartsheet implements hardening and configuration requirements consistent in approach with SANS Institute, National Institute of Standards and Technology (NIST), and/or Center for Internet Security (CIS) recommendations, or successor standards widely used in the industry.

Pen Testing. Excluding Premium Apps, Smartsheet uses external security experts to conduct penetration testing of the Subscription Service.  Such testing (a) will be performed at least annually; (b) will be performed by independent third party security professionals at Smartsheet’s selection and expense; and (c) will result in the generation of a penetration test report (“Pen Test Report”).

System Auditing. Smartsheet uses external auditors to verify the adequacy of its security measures surrounding the Subscription Service (excluding Premium Apps) on an annual basis. This audit: (a) will include testing of the entire measurement period since the previous measurement period ended; (b) will be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) will be performed by independent third party security professionals at Smartsheet's selection and expense; and (d) will result in the generation of an audit report (“Audit Report”).

Access to Reports. Pen Test Reports and Audit Reports will be made available to Customer upon written request and no more than annually, subject to a mutually-agreed non-disclosure agreement covering the Reports.  For the avoidance of doubt, any such reports made available to Customer will be Smartsheet’s Confidential Information.

ONGOING SUPPORT.

Smartsheet employees are trained to work with HIPAA-compliant customers. Customers are reminded to minimize sharing of PHI with Smartsheet but if it cannot be avoided, Customers should utilize the functionality described above to terminate the sharing when no longer needed.

ADDITIONAL RESOURCES.

These additional resources, although not HIPAA-specific, may help you understand how the Subscription Service is designed with privacy, confidentiality, and availability of data in mind.

  • Smartsheet Privacy Policy
  • Smartsheet Help Articles

This Smartsheet HIPAA Implementation Guide is for informational purposes only. Smartsheet does not intend the information or recommendations in this guide to constitute legal advice. Each Customer should independently evaluate its own use of the Subscription Service as appropriate to support its legal compliance obligations. SMARTSHEET MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

QUESTIONS:

Any additional questions should be direct to privacy@smartsheet.com. 

 

Last Updated: December 28, 2017

Smartsheet
  • About Us
  • Investors
  • Newsroom
  • Careers
  • Contact Us
  • Legal
  • Privacy
  • Trust Center
  • Developers & API
  • Help

©2023. All Rights Reserved Smartsheet Inc.

Facebook Twitter LinkedIn YouTube Instagram