HIPAA Business Associate Agreement

The information below is for review only.  To enter into a BAA with Smartsheet, please contact your Smartsheet account manager or submit this form to contact our Sales team.

Smartsheet’s Business Associate Agreement (“BAA”) (below) has been specifically tailored to depict our Subscription Service’s unique operational and technical controls and our business model as a multi-tenant, data agnostic SaaS provider. In particular, for users of Smartsheet’s Enterprise Plan, Smartsheet has built additional security controls and features into the Subscription Services to account for each party’s obligations under HIPAA.
If you determine that a BAA is necessary for your use of the Smartsheet, you may engage your account manager for assistance or submit the above linked form to initiate this process. Please note that Smartsheet does not accept customer paper BAAs. Rather, Smartsheet requires the use of its BAA because, like other cloud-service providers, Smartsheet has adopted a shared responsibility model as a means for addressing HIPAA’s strict compliance obligations. This relationship dynamic is taken into account within Smartsheet’s BAA as a means for enabling parties to meet their respective HIPAA obligations when PHI is used within the Subscription Services. For more information on the shared responsibility model and Smartsheet's privacy and security practices generally, please be sure to review our HIPAA Help Article and visit our Trust Center.
 

 

This HIPAA Business Associate Agreement (“BAA”) is incorporated into and forms a part of the agreement between Smartsheet Inc. (“Smartsheet”) and the undersigned customer (“Customer”) that governs Customer’s access to and use of the Subscription Services (“Agreement”). This BAA is effective as of the date of the last signature below (the “BAA Effective Date”). Capitalized terms not defined herein have the meaning given in the Agreement.  

 

1.   Applicability. 

1.1   Subject to the terms of the Agreement, this BAA sets forth each Party’s respective obligations under HIPAA regarding use of the Subscription Services. Customer, on behalf of itself and any Affiliates authorized to use the Subscription Services, is responsible for ensuring that its use of the Subscription Services is in accordance with its obligations under HIPAA, the Agreement, and this BAA.

1.2   The features and functionalities necessary for Customer to meet its HIPAA obligations in connection with the  Subscription Services are available under certain Subscription Service offerings (“PHI Eligible Services,” as listed in Smartsheet’s HIPAA Help Article). Customer may upload or submit Customer PHI to only PHI Eligible Services. Customer will remove any Customer PHI from PHI Eligible Services prior to the changing or downgrading its Subscription Service to an ineligible offering. Smartsheet has no obligation to protect PHI under this BAA to the extent PHI is received, maintained, or transmitted outside of PHI Eligible Services.  

 

2.   Definitions. 

The following terms have the meanings as defined in HIPAA: “breach,” “business associate,” “covered entity,” “designated record set,” “individual,” “protected health information” (PHI), “required by law,” “security incident,” “Secretary,” “subcontractor,” “unsecured protected health information," and “workforce.” 

Customer Content” means any data, images, files, or other content that is submitted to the PHI Eligible Services by Users, or is output that is derived or created therefrom and viewable by Users within such services.  

Customer PHI” means PHI, including electronic PHI (“ePHI”) and unsecured protected health information, processed within PHI Eligible Services as Customer Content.    

HIPAA” means the Health Insurance Portability and Accountability Act of 1996, including the HIPAA Rules and the regulations thereunder, including the HITECH Act.

HIPAA Help Article” means the informational article published by Smartsheet at help.smartsheet.com/articles/2476526 which provides information relevant to PHI Eligible Services.

HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. 

HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of Division A and Title IV of Division B of the American Recovery & Reinvestment Act of 2009, and the regulations thereunder.  

Parties” or “Party” means Customer and/or Smartsheet as applicable.

Security Rule” means 45 CFR Part 160 and Subparts A and C of Part 164.

Subscription Services” means the subscription-based online services and applications that are provisioned or controlled by Smartsheet.

User” means any individual permitted or invited by Customer or another User to access and use PHI Eligible Services available to Customer under an Order and the terms of the Agreement.  

 

3.     Roles of the Parties. 
 
3.1   Smartsheet is the business associate when Customer qualifies as a covered entity and engages Smartsheet to perform certain functions or activities on behalf of Customer that result in Smartsheet receiving, maintaining, or transmitting Customer PHI via the PHI Eligible Services.

3.2   Customer is the business associate and Smartsheet is the subcontractor when Customer is engaged to perform certain functions or activities on behalf of a third-party qualifying as a covered entity or business associate (each, a “HIPAA Third Party”) that result in Smartsheet receiving, maintaining, or transmitting the HIPAA Third Party’s PHI via the PHI Eligible Services as Customer PHI.

 

4.     Smartsheet Responsibilities.

4.1   Smartsheet will not use or disclose Customer PHI other than as permitted or required by this BAA, the Agreement, or as required by law. Smartsheet will not seek or accept direct or indirect payment or consideration from a third party in exchange for Customer PHI.

4.2   Smartsheet will use reasonable and appropriate safeguards to comply with the applicable portions of the Security Rule and to prevent use or disclosure of Customer PHI other than as allowed by this BAA. 

4.3   Smartsheet will provide written notice to Customer of a confirmed security incident or breach that includes Customer PHI (collectively referred to as a “Security Breach”) without undue delay, and in any event within seventy-two (72) hours following confirmation of the Security Breach. Notification will be sent to Customer pursuant to the notification requirements in the Agreement.

  • 4.3.1   Smartsheet will investigate and, as necessary, mitigate or remediate a Security Breach in accordance with Smartsheet’s security incident policies and procedures (“Breach Management”).
  • 4.3.2   Following initial notification, Smartsheet will provide Customer with information known and available to Smartsheet as a result of its Breach Management, such as: the nature of the Security Breach, identification of the impacted Customer PHI, and any relevant mitigation and remediation measures (“Breach Information”). Upon written request, Smartsheet will reasonably cooperate with Customer in Customer’s response obligations to a Security Breach, including providing additional information relating to the Security Breach at agreed upon intervals following initial notification.
  • 4.3.3   Subject to the Agreement and its aggregate liability limitations and damages exclusions, Smartsheet will reimburse Customer for its reasonable costs and expenses directly arising out of a Security Breach caused by Smartsheet’s breach of this BAA. Such costs and expenses may include notification of affected individuals and regulatory authorities, one (1) year of credit monitoring services for affected individuals, and the establishment of a temporary call center.

4.4   Smartsheet will ensure that its subcontractors and workforce engaged to perform Smartsheet’s obligations under this BAA that involve Customer PHI are bound by a written agreement that includes appropriate provisions for receiving, maintaining, transmitting, or otherwise processing Customer PHI and is substantially as protective of Customer PHI as this BAA. Smartsheet is responsible for the acts and omissions of its subcontractors and workforce in relation to Smartsheet’s obligations under this BAA.

4.5   Smartsheet will make Customer PHI in a designated record set available to Customer via PHI Eligible Services in order for Customer to comply with its obligations to individuals, including access, amendment, and accounting of disclosures of Customer PHI. Smartsheet will notify Customer in writing without undue delay, and in any event within ten (10) business days, of any received and verified requests that Smartsheet receives directly from an individual relating to Customer PHI. Customer will be solely responsible for identifying the relevant designated record set and PHI and for complying with and fulfilling any request made by individuals, including any accounting of disclosures.

4.6   To the extent required by law, Smartsheet will make its internal practices, books, and records concerning the use and disclosure of Customer PHI received from Customer, or created or received by Smartsheet on behalf of Customer, available to the Secretary as required for the Secretary to determine compliance with the HIPAA Rules.

4.7   To the extent Smartsheet agrees in writing  to carry out Customer’s obligations under the HIPAA Rules, Smartsheet will do so in accordance with the applicable provisions of the HIPAA Rules, the Agreement, and this BAA.

4.8   Smartsheet will, and will require that its subcontractors, maintain and annually assess a business continuity and disaster recovery program. 

 
5.     Customer Responsibilities. 

5.1   Customer will not use the PHI Eligible Services to transmit Customer PHI to or from a third-party except where permitted by, and in accordance with, applicable law and this BAA. 

5.2   In connection with Customer’s use, management, and administration of the PHI Eligible Services and its Users, Customer (and not Smartsheet) is responsible for: (a) independently assessing, implementing, and enforcing security configuration settings (including access controls) available within PHI Eligible Services to ensure its compliance with state and federal laws applicable to the access, use, or disclosure of Customer PHI; (b) managing which Users are authorized to create, receive, maintain, transmit, or access Customer PHI; and (c) periodically reviewing the HIPAA Help Article. Notification of material updates to the HIPAA Help Article can be received by filling out the notification form available at www.smartsheet.com/notification-requests.

5.3   Customer will notify Smartsheet in writing of any restrictions on the use or disclosure of Customer PHI that Customer has agreed to, including, if applicable, restrictions for which Customer must agree to that may affect Smartsheet’s performance of its obligations under this BAA. Following notification, if Smartsheet determines that such restrictions adversely affect Smartsheet’s performance of its obligations, Smartsheet will notify Customer and Customer shall immediately delete, and cease to create, receive, maintain, or transmit, Customer PHI from and within the PHI Eligible Services that are subject to such restrictions.

 

6.     Permitted Uses and Disclosures. 

6.1   Smartsheet may use and disclose Customer PHI: (a) as required by law; (b) as requested by Customer in writing or as allowed by Customer via PHI Eligible Services’ access controls; (c) to provide, maintain, and support the services described in the Agreement; (d) for the proper management and administration of Smartsheet’s business; or (e) to carry out Smartsheet’s legal responsibilities, including to prevent or address violations of this BAA or the Agreement.  

6.2   Customer agrees to limit the amount of Customer PHI it uploads or submits to PHI Eligible Services consistent with such requirements under 45 CFR § 164.502(b). Smartsheet agrees to limit its use or disclosure of Customer PHI to the minimum amount allowed under this BAA.

6.3   Notwithstanding the foregoing permitted uses and disclosures, Smartsheet will not use or disclose Customer PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer, and Customer will not request any such violative use or disclosure by Smartsheet.

6.4   Smartsheet will not, and will not attempt to, de-identify or re-identify Customer PHI unless expressly  authorized by Customer in a signed writing or as initiated by Customer or its Users via PHI Eligible Services.

 

7.     Term and Termination. 

7.1   This BAA will terminate in accordance with the Agreement, and upon the earlier of: (a) a permitted termination as set forth herein; (b) the expiration or termination of the Agreement; (c) the execution of a new business associate agreement that supersedes this BAA; or (d) immediately in the event Customer no longer purchases or utilizes PHI Eligible Services. 

7.2   Upon expiration or termination of the period of authorized access and use of PHI Eligible Services, Smartsheet will return, allow read-only access to, or render unrecoverable Customer PHI, if any, according to the terms and conditions of the Agreement; provided that Smartsheet may retain Customer PHI contained in an archived computer system backup made in accordance with Smartsheet’s legal and financial compliance obligations or security and disaster recovery policies and procedures.  Any such retained Customer PHI will remain subject to the terms of this BAA and the applicable Agreement.

7.3   Either Party may terminate this BAA by written notice to the other Party if the other Party breaches a material obligation of this BAA and does not cure such breach within thirty (30) days after receiving notice of the breach.

7.4   In the event of termination of this BAA, Customer must immediately delete or remove any PHI from PHI Eligible Services, and cease to create, receive, maintain, or transmit PHI via PHI Eligible Services.

 

8.     General. 

8.1   Amendment; Waiver. Unless otherwise expressly stated herein, this BAA may be modified only by a written agreement executed by an authorized representative of each Party.  The waiver of any breach of this BAA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach.

8.2   Severance. If any provision of this BAA is held to be unenforceable, then that provision is to be construed either by modifying it to the minimum extent necessary to make it enforceable (if permitted by law) or disregarding it (if not permitted by law), and the rest of this BAA is to remain in effect as written. Notwithstanding the foregoing, if modifying or disregarding the unenforceable provision would result in failure of an essential purpose of this BAA, the entire BAA will be considered null and void.

8.3   Order of Precedence. Regarding the subject matter of this BAA, in the event of any conflict between this BAA and any other written agreement between the Parties (including the Agreement), this BAA will govern and control. Any business associate agreements that may already exist between Parties are superseded and replaced by this BAA in their entirety.

8.4   Notices. Unless otherwise provided for in this BAA, the Parties will provide notices under this BAA in accordance with the Agreement, provided that all such notices may be sent via email.

8.5   Governing Law and Jurisdiction. Except to the extent preempted by HIPAA, this BAA is governed by the laws stipulated in the Agreement and the Parties to this BAA hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this BAA.

8.6   Enforcement. Unless otherwise required by law: (a) only Customer may enforce any of the terms of this BAA against Smartsheet; and (b) Smartsheet’s obligations under this BAA, including any applicable notifications, will be only to Customer.

8.7   Liability. As between the Parties, each Party’s liability and remedies under this BAA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.

8.8   Variations to HIPAA. If any variation is required to this BAA as a result of a change in HIPAA, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this BAA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of PHI Eligible Services and Smartsheet’s business operations.

8.9   Reservation of Rights. Notwithstanding anything to the contrary in this BAA: (a) Smartsheet reserves the right to withhold information the disclosure of which would pose a security risk to Smartsheet or its customers or is prohibited by applicable law or contractual obligation; and (b) Smartsheet’s notifications, responses, or provision of information or cooperation under this BAA are not an acknowledgement by Smartsheet of any fault or liability.

 

 

Last Updated: July 1, 2025