Is Smartsheet HIPAA Compliant?

Smartsheet is HIPAA compliant provided that organizations subscribe to an Enterprise Plan, enter into a Business Associate Agreement with Smartsheet, and configure the security settings so the platform can be used in compliance with the HIPAA Security Rule. This final requirement is the one organizations may find most challenging due to a reported lack of customer support.
Smartsheet is โspreadsheet-styleโ collaboration and project management software that, because of its similarities to Excel, is sometimes used in healthcare organizations to automate administrative tasks and workflows. But, if the software is used to collect, use, maintain, or transmit Protected Health Information (PHI) is Smartsheet HIPAA compliant?
This question is answered on the companyโs Smartsheet and HIPAA webpage which provides a brief explanation of the HIPAA requirements, describes how Smartsheet audits its security mechanisms to support HIPAA compliance, and explains how PHI uploaded to the software is protected from unauthorized access in transit and at rest.
The webpage also explains the customersโ responsibilities to use Smartsheet compliantly and that, to use Smartsheet compliantly, it is necessary to subscribe to an Enterprise plan, enter into a Business Associate Agreement, and configure the security settings in the Enterprise plan to create safe sharing lists, approved email addresses, and auto-provisioning rules (etc.).
For administrators in large organizations with years of experience configuring software to be HIPAA compliant and training members of the workforce how to use the software compliantly, adjusting the security settings so the software is used in compliance with HIPAA is not going to be an issue. However, for most other users, using Smartsheet may prove challenging.
Issues with Smartsheet and HIPAA Compliance
Software review sites often provide mixed messages. When the software meets usersโ expectations, you get 4 or 5 star reviews. When users feel the software doesnโt do what it says on the tin, you get 1 or 2 star reviews. Consequently, it can be helpful to be guided by the Gartner peer review site because of the better balance of reviews published by verified customers.
With regards to Gartnerโs peer reviews for Smartsheet, is Smartsheet HIPAA compliant does not appear to be an issue. What does appear to be an issue is the volume of work required to customize Smartsheet to provide more than basic functionality โ an issue that is exacerbated by an apparent lack of support for business and enterprise customers.
The complexity of the software, its lack of intuitiveness, and the navigation difficulties reported by some reviewers implies that, although Smartsheet may tick the boxes of HIPAA compliance, you are left to fend for yourself once you have subscribed to an Enterprise Plan and entered into a Business Associate Agreement โ and this can create problems for many organizations.
As with any software, if it is too complicated to understand, lacks intuitiveness, or is difficult to navigate, mistakes could occur in the configuration of the software. Alternatively, users could find workarounds to bypass the security controls in order โto get the job doneโ. In these circumstances it is feasible PHI could be disclosed impermissibly due to the issues with Smartsheet.
Is Smartsheet HIPAA Compliant? Conclusion
In the context of is Smartsheet HIPAA compliant, no software is HIPAA compliant because it is how the software is configured and used โ rather than the softwareโs capabilities – that determine compliance. Therefore, it is fair to say Smartsheet facilitates HIPAA compliance โ provided you subscribe to an Enterprise Plan, enter into a Business Associate Agreement, and configure the security controls correctly.
Smartsheet does offer the option of a free trial to evaluate the software in your own environment, but the free trial only gives you access to the Business Plan โ not to the Enterprise Plan with the HIPAA compliant capabilities. Therefore, in order to identify whether Smartsheet would be a HIPAA compliant project management solution for your organization, you would need to contact the company and request a free trial of the Enterprise Plan.