Applies to
Smartsheet and HIPAA
This help article is intended to help security officers, compliance officers, IT administrators, and other employees of Smartsheet customers (“you”, “your”, etc.) that are eligible to use Smartsheet’s Subscription Services to store or process Protected Health Information (or “PHI”) in a manner that allows them to meet their obligations underThe Health Insurance Portability and Accountability Act (“HIPAA”), as amended, including the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.
This article does not, and is not intended to, constitute legal advice; instead, all information provided in this article is for you to review as part of your own HIPAA compliance efforts. Any capitalized terms used herein but not defined shall have the definitions assigned under HIPAA or the agreement governing your use of Smartsheet’s subscription-based online services (“Subscription Agreement”).
HIPAA
HIPAA is a federal law that establishes national standards for howhealth plans, health care clearinghouses, and health careproviders (“Covered Entities”) access, use, or disclose patient information called “Protected Health Information” or “PHI”.The national standards established under HIPAA may also extend to subcontractors that provide services to Covered Entities (“Business Associates”) or their subcontractors (“Business Associate Subcontractors”)和接触到φ的行为lf.HIPAA is enforced by theUS Department of Health and Human Services.
Service Description
Smartsheet offers its customers subscription-based online services and applications (together, the “Subscription Services”) that are provided to eligible customers with additional security measures designed to allow customers to comply with their obligations under HIPAA. Smartsheet implements hardening and configuration requirements consistent in approach with SANS Institute, National Institute of Standards and Technology (NIST), and/or Center for Internet Security (CIS) recommendations, or successor standards widely used in the industry designed to allow you to comply with your obligations under HIPAA. Any data, file attachments, text, images, reports, personal information, or other content that you or your Users upload or submit to the online Services and that is processed by Smartsheet for or on your behalf is maintained in encrypted form (in transit and at rest). The data you submit to the online Services is protected from unauthorized access by security controls offering protection equivalent to logical segregation. Smartsheet has or will enter into business associate agreements with its subcontractors that process customer data, which enables you to store file attachments containing PHI in the Subscription Services in a manner that allows you to meet your HIPAA obligations. If you elect to integrate with or store attachments through a third party, you are solely responsible for ensuring the proper controls andagreements are in place. Smartsheet is data agnostic with respect to its treatment and the type or substance of the data that you submit to the Services. Smartsheet will only access or analyze the substance of your data (a) as requested by you to enable the provision of services or support; and (b) as necessary for Smartsheet to (i) comply with applicable law or legal proceedings, or (ii) investigate, prevent, or take action against suspected abuse, fraud, or violation of the Subscription Agreement.
Third Party Assessment Organization (3PAO)
Smartsheet uses third-party assessors (3PAOs) to verify the adequacy of its security measures surrounding the Subscription Services on an annual basis. This audit: (a) will include testing of the entire measurement period since the previous measurement period ended; (b) will be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) will be performed by independent third party security professionals at Smartsheet's selection and expense; and (d) will result in the generation of an audit report (“Audit Report”)的订阅服务will be made generally available by Smartsheet.
An Audit Report will be made available to you upon your written request and no more than once annually, subject to mutually agreed upon non-disclosure terms covering the Audit Report. For the avoidance of doubt, any such Audit Report made available to you will be Smartsheet’s confidential information.
Customer Responsibility
In order to store PHI in the online Services, you must be on an Enterprise (excluding Legacy Enterprise) plan and have entered into Smartsheet’sBusiness Associate Agreement(“BAA”). Only Enterprise users have the ability to implement the features and functionality necessary to use Smartsheet in a manner that allows you to meet your obligations under HIPAA. If you determine that you require more detailed user auditing capabilities, it is recommended that you take advantage ofEvent Reportingor have access toSmartsheet Advance.
Shared Responsibility Model
Smartsheet employs a Software-as-a-Service (“SaaS”) shared-responsibility model between you and Smartsheet. Smartsheet is responsible for providing measures to our platform that allow you to meet your regulatory compliance requirements. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities as outlined in Figure 1 below. For specific control instructions and recommendations, please see the Customer Responsibilityto Configure Security Settings section below.
You are responsible for determining whether a business associate agreement with Smartsheet is requiredand for ensuring that you and your Users use the Subscription Services in compliance with your obligations under HIPAA. This includes understanding and implementing the Smartsheet-provided customizable security controls you deem necessary to meet your HIPAA compliance obligations.
Customer Responsibility to Configure Security Settings
Smartsheet provides customizable settings designed to ensure that your data is secure. These settings are designed to ensure that any PHI you submit to the Subscription Services isused and/or accessed in accordance with your instructions and/or as permitted by the BAA between you and Smartsheet. The obligation to ensure that your use of the online Services allows you to meet your HIPAA obligations is solely your responsibility.Please seeConfigure Security Controls for an Enterprise Planand other related Help Articles for further details and instructions.
Additional Resources
The additional resources linked below, although not HIPAA-specific, may help you understand how the Subscription Service is designed with privacy, confidentiality, and availability of data in mind.You may also visit ourSmartsheet for Healthcarepage and contact our healthcare team to learn more.
This Help Article is for informational purposes only. Each Customer should independently evaluate its ownuse of the Subscription Services as appropriate to support its legal compliance obligations. SMARTSHEET MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.