HIPAA Implementation Guide
The Health Insurance Portability and Accountability Act (“HIPAA”), as amended, including the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, is a United States law that applies to companies and other entities involved in the healthcare industry that may have access to patient information (called “Protected Health Information”, or “PHI”).
This Smartsheet HIPAA Implementation Guide is intended for security officers, compliance officers, IT administrators, and other employees in organizations who are responsible for HIPAA implementation and compliance. This guide will allow intended users to implement the features and functionality necessary to use Smartsheet in a HIPAA-compliant manner. Such features and functionality are only available to Enterprise (excluding Legacy Enterprise) plan users of the Smartsheet collaborative work management platform; there is no HIPAA-specific Smartsheet product or service. A BAA (defined below) entered with Smartsheet will apply to all Customer plans; all plans (if more than one) will be identified by Smartsheet as being used by Customer in a HIPAA-compliant manner and must be purchased at the Enterprise (excluding Legacy Enterprise) level.
Any capitalized terms used herein but not defined shall have the definitions assigned under HIPAA or the agreement governing use of the Smartsheet collaborative work management platform (“Subscription Agreement”).
SHARED RESPONSIBILITY MODEL.
Smartsheet employs a shared-responsibility model between the Customer and Smartsheet. Smartsheet will provide physical, organizational, and technical controls designed to ensure the security, integrity, and confidentiality of Customer Content.
Customer is responsible for determining if it is a Covered Entity or Business Associate under HIPAA (and whether a business associate agreement with Smartsheet is required) and for ensuring that it uses Smartsheet’s Subscription Service in compliance with HIPAA. Smartsheet customers who are subject to HIPAA and wish to use the Subscription Service with PHI must sign a Smartsheet Business Associate Agreement (BAA).
Customer is also responsible for its Customer Content; responsibilities may include fulfilling an individual’s right of access, amendment, and accounting in accordance with the requirements under HIPAA. Any requests received by Smartsheet regarding PHI shall be referred to Customer. Smartsheet will provide support as appropriate to Customer to facilitate Customer’s response to the request.
STORING PHI AS CUSTOMER CONTENT.
All Customer Content stored utilizing the Subscription Service is maintained in encrypted form (in transit and at rest). Customer Content is protected from unauthorized access by security controls offering protection equivalent to logical segregation. Smartsheet has a business associate agreement with Amazon Web Services (AWS) enabling Customers to store file attachments in the Subscription Service in a HIPAA-compliant manner. If Customer elects to store attachments through a third party (i.e., Box), Customer is solely responsible for ensuring the proper business associate agreements are in place. Smartsheet does not access Customer Content except: (a) as requested by Customer to enable the provision of customer support; and (b) as necessary for Smartsheet to (i) comply with applicable law or legal proceedings, or (ii) investigate, prevent or take action against suspected abuse, fraud or violation of the Subscription Agreement.
USING SMARTSHEET WITH PHI.
Smartsheet provides customizable settings to ensure that Customer Content is secure, used, and accessed in accordance with Customer’s requirements and as permitted by the BAA between Smartsheet and Customer. Please note that Add-Ons are NOT part of the underlying Subscription Service for purposes of the BAA or this guide and Smartsheet makes NO representations that implementation or use of Add-Ons is compliant with HIPAA. The obligation to ensure HIPAA compliance for Customer’s use of Smartsheet is Customer’s responsibility. Some actionable recommendations to help Customer address specific concerns within the Subscription Service for HIPAA compliance include:
Providing Customer Users Information. Customers may create a landing page that is visible to Customer Users. This landing page can contain information and reminders to Customer Users for the proper use and management of Customer Content to maintain HIPAA-compliance. If you would like assistance in developing a landing page for your employees, your SysAdmin(s) can contact the Smartsheet representative assigned to your account, although Professional Services fees may apply. Please see “Customizing a Welcome Message & Upgrade Screen” for more information.
Managing Access. Customers are responsible for managing login credentials for Customer Users and ensuring that Customer User passwords (determined by Customer Users) meet complexity standards and rotate in a timely manner. Customer must also safeguard Customer User identities and credentials (names, email addresses, and/or passwords) and workstations that can be used to gain access to PHI hosted in their Subscription Service. Customer agrees to promptly notify Smartsheet of any unauthorized access or use of which Customer becomes aware. If Customer wishes to utilize single sign-on, Smartsheet shall, in its provision of the Subscription Service to Customer, support SAML SSO 2.0, and continue to support successor versions of SAML SSO. Please see “Configuring SAML 2 for Single Sign‐On to Smartsheet” for further details and instruction on how to utilize the single-sign-on feature. Please see “Viewing Login History” and “Managing Authentication Options” for further details and instructions on how to monitor login and access to the Subscription Service.
Managing Customer Users. Customer’s assigned SysAdmin(s) will have the ability, and the responsibility, to limit Customer User access to sheets, reports, and sights containing PHI. Please see “Security Controls” for further details and instructions on how to utilize the SysAdmin(s) control features. To manage Customer User access to different sheets in the Subscription Service, SysAdmin(s) will be responsible for creating separate workspaces, which serve to organize sheets, reports, templates and sub-folders. Please see “Managing Users in a Team, Business, or Enterprise Plan” and “Workspaces Overview” for further details and instruction on how to utilize the workspace environment. Customer can ensure that Customer Users only use accounts under an Enterprise plan by setting up auto-provisioning, which will control the creation of accounts under Customer’s domain. Please see “User Auto-Provisioning” for further details and instruction on how SysAdmin(s) can ensure accounts are created under the correct Enterprise plan.
Transferring Customer Users and Content. Customer Users may be invited to join other plans, or request to transfer to other plans. If a Customer User transfers from Customer’s plan to another plan, any sheets “owned” by that Customer User will also be transferred. Customer’s SysAdmin(s) has the ability to request, accept, or deny the transfer of Customer Users to or from Customer’s plan. Customer is solely responsible for managing all transfers of Customer Content enabled by the Subscription Service, including any transfer of Customer Content between plans. Accordingly, SysAdmin(s) may need to restrict the transfer of Customer Users (and/or their Customer Content) between plans to ensure that PHI is not transferred to a plan without the appropriate HIPAA controls in place. Please see “Removing Users” for further details and instruction on removing access and transfer of sheets.
Managing Sharing Controls. Through customizing workspaces, SysAdmin(s) will have the ability to determine which sheets, reports, and sights can be shared and published and which items cannot (i.e., those sheets containing PHI). Please see “Publishing Smartsheet Items,” “Sharing Sheets,” “Sharing Permission Levels,” and the Publish Options section in “Global Account Settings” for further details and instruction on how to utilize the sheet sharing functionality. SysAdmin(s) will also have the ability to control which domains Customer Users will be able to share sheets, reports, and sights to. SysAdmin(s) will need to set up an approved domain sharing list to limit Customer Users’ sharing abilities. Please see “Security Controls” for further details and instructions on how to utilize domain sharing options.
Monitoring Activity. In addition to the login monitoring described above, licensed SysAdmin(s) and Customer Users will have the ability to monitor sheets through the activity log and cell history. Customer Users have the ability to add a last modified date column to sheets for the purposes of monitoring the age of PHI in sheets. For the avoidance of doubt, it is Customer’s, not Smartsheet’s, responsibility to comply with HIPAA data retention requirements. Please see “Track History Changes Made to a Sheet with Activity Log,” “Viewing Login History,” and “Viewing Cell History” for further details and instructions on how to utilize monitoring activity features available in Smartsheet. Please see “Column Types” for further details and instruction on how to utilize the modified date column. Alternatively, Customer can, through the use of the single-sign-on feature, create a landing page within their own domain (<CNAME_URL?>) where they can include a message to Users to regarding Customer’s guidelines for using the Subscription Service, procedures for requesting an account, and any additional information relating to their HIPAA-compliance.
LIMITATIONS ON USE.
Allowing Patients to Access Smartsheet. Customers should not use the Subscription Service in a manner where patients create user accounts or are collaborators to Customer sheets. If a Customer would like to obtain data from a patient it should be done through the use of a Form. Please see “Make Forms to Collect Information in Your Sheet” for further details and instructions on how to utilize Forms to collect information.
Transmitting Content. If a SysAdmin(s) allows Customer Users to share PHI within the Subscription Service, Customer Users should only use the share function, which merely sends links to sheets. Customer Users should not use the send attachment feature, which imports sheet data into a PDF or Excel file for transfer. Smartsheet encrypts the communications between Users, but the attachments themselves are NOT similarly protected. Customer Users who wish to email PHI may export the data into a separate document and email the document through their normal company transmission protocols.
Use of Add-Ons. Customers are responsible for ensuring that appropriate HIPAA-compliant measures are in place with respect to any Add-Ons (including Connectors and Partner Apps) before sharing or transmitting PHI. Customers are solely responsible for determining if they require a BAA or any other data protections with a third party before sharing PHI using the Subscription Service or any applications that integrate with the Subscription Service. In addition, Smartsheet recommends that Customers DO NOT use Labs Apps when working with PHI. Labs Apps are pre-release features and any use of Labs Apps with or without PHI is at Customer’s sole risk and responsibility.
SECURITY PRACTICES AND REPORTS.
Security Practices. Smartsheet implements hardening and configuration requirements consistent in approach with SANS Institute, National Institute of Standards and Technology (NIST), and/or Center for Internet Security (CIS) recommendations, or successor standards widely used in the industry.
Pen Testing. Excluding Premium Apps, Smartsheet uses external security experts to conduct penetration testing of the Subscription Service. Such testing (a) will be performed at least annually; (b) will be performed by independent third party security professionals at Smartsheet’s selection and expense; and (c) will result in the generation of a penetration test report (“Pen Test Report”).
System Auditing. Smartsheet uses external auditors to verify the adequacy of its security measures surrounding the Subscription Service (excluding Premium Apps) on an annual basis. This audit: (a) will include testing of the entire measurement period since the previous measurement period ended; (b) will be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) will be performed by independent third party security professionals at Smartsheet's selection and expense; and (d) will result in the generation of an audit report (“Audit Report”).
Access to Reports. Pen Test Reports and Audit Reports will be made available to Customer upon written request and no more than annually, subject to a mutually-agreed non-disclosure agreement covering the Reports. For the avoidance of doubt, any such reports made available to Customer will be Smartsheet’s Confidential Information.
Smartsheet employees are trained to work with HIPAA-compliant customers. Customers are reminded to minimize sharing of PHI with Smartsheet but if it cannot be avoided, Customers should utilize the functionality described above to terminate the sharing when no longer needed.
These additional resources, although not HIPAA-specific, may help you understand how the Subscription Service is designed with privacy, confidentiality, and availability of data in mind.
This Smartsheet HIPAA Implementation Guide is for informational purposes only. Smartsheet does not intend the information or recommendations in this guide to constitute legal advice. Each Customer should independently evaluate its own use of the Subscription Service as appropriate to support its legal compliance obligations. SMARTSHEET MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Any additional questions should be direct to firstname.lastname@example.org.
Last Updated: December 28, 2017