Smartsheet can support HIPAA compliance, but it does not make you compliant out of the box. You need to sign a Business Associate Agreement (BAA) with Smartsheet, use only the features designated as “PHI Eligible Services,” and configure a set of security controls yourself. Without all three pieces in place, storing or processing protected health information (PHI) on the platform would violate HIPAA rules.
What Smartsheet Offers for HIPAA
Smartsheet lists HIPAA among the compliance frameworks it supports, alongside FedRAMP and DOD IL4. The platform provides configurable access controls and security settings designed to restrict who can view, edit, or share data that qualifies as PHI. It also offers a BAA, the contract HIPAA requires between a covered entity (like a hospital or health plan) and any vendor that handles PHI on its behalf.
The key distinction is that Smartsheet provides the tools for compliance but places the responsibility for using them correctly squarely on you. Their documentation states plainly: “You are responsible for ensuring that you and your users use the Subscription Services in compliance with your obligations under applicable laws (including HIPAA), your BAA with Smartsheet.” This is not unusual for SaaS platforms, but it means signing the BAA alone does not check the compliance box.
Getting a BAA in Place
Before any PHI touches the platform, you need an executed BAA with Smartsheet. This agreement defines what Smartsheet can and cannot do with your data, what safeguards it will maintain, and how it will notify you in the event of a breach. Without it, Smartsheet is just another cloud tool with no legal obligation to protect health information under HIPAA.
To start the process, you’ll typically need to contact Smartsheet’s sales or compliance team directly, since a BAA is not something you can click to accept on a self-service plan. Be prepared to discuss which features you plan to use, how many users will handle PHI, and what your internal compliance policies look like. The BAA will reference specific “PHI Eligible Services,” meaning only certain parts of the Smartsheet platform are covered.
PHI Eligible Services and What They Exclude
Not every Smartsheet feature falls under the HIPAA umbrella. The BAA covers a defined set of services that Smartsheet designates as PHI Eligible. If you use a feature or tool outside that scope to store or process health data, you’re operating without the contractual protections of the BAA.
Third-party integrations are the biggest area of risk. Smartsheet connects to dozens of outside apps for file storage, communication, and automation. If you integrate with a third-party service or store attachments through one, Smartsheet’s documentation makes clear that “you are solely responsible for ensuring that all proper controls and agreements are in place.” In practical terms, this means you need a separate BAA with each third-party tool that might touch PHI, and you need to verify that the integration itself doesn’t expose data outside the compliant environment.
Security Controls You Need to Configure
Smartsheet provides configurable security settings, but they are not turned on or optimized for HIPAA by default. You need to review and set them up based on your organization’s risk profile. The most important areas to address include:
- Access controls: Restrict who can view, edit, and share sheets that contain PHI. Use the principle of least privilege, giving each user only the access level their role requires.
- Safe sharing policies: Smartsheet offers a “safe sharing” feature that lets administrators limit which email domains can receive shared sheets. This prevents a user from accidentally (or intentionally) sharing PHI with an unauthorized outside email address.
- User permissions and roles: Assign admin, editor, and viewer roles deliberately. Audit these regularly to ensure former employees or contractors no longer have access.
- Attachment handling: Decide where attachments are stored and whether any third-party storage services are involved. If they are, make sure those services are also HIPAA compliant and covered by their own BAAs.
Smartsheet points users to its help documentation for detailed configuration instructions. It’s worth walking through these guides line by line before going live with any PHI, since a single misconfigured sharing setting could expose patient data.
What Compliance Actually Looks Like Day to Day
Signing a BAA and configuring settings is the starting point, not the finish line. HIPAA compliance on any platform requires ongoing work. You need to train every user who will interact with PHI on what they can and cannot do inside Smartsheet. You need written policies that cover how sheets are created, shared, and archived. And you need to audit access logs periodically to confirm that only authorized people are viewing sensitive data.
If your organization already has a HIPAA compliance program, adding Smartsheet is a matter of extending your existing policies to cover a new tool. If you’re building a compliance program from scratch, the platform is only one piece of a much larger puzzle that includes employee training, risk assessments, breach notification procedures, and physical safeguards for any devices that access the platform.
Smartsheet can work in a HIPAA-regulated environment, but the platform is a container, not a compliance engine. The BAA gives you the legal framework, the configurable controls give you the technical capability, and everything else depends on how carefully your team uses both.