HIPAA Business Associate Agreement

The information below is for review only. To enter into a BAA with Smartsheet, please contact your Smartsheet account manager or submit this form to contact our Sales team.

Smartsheet’s Business Associate Agreement (“BAA”) (below) has been specifically tailored to depict our Subscription Service’s unique operational and technical controls and our business model as a multi-tenant, data agnostic SaaS provider. In particular, for users of Smartsheet’s Enterprise Plan, Smartsheet has built additional security controls and features into the Subscription Services to account for each party’s obligations under HIPAA and other privacy laws.

If you determine that a BAA is necessary for your use of the Smartsheet, you may engage your account manager for assistance or submit the above linked form to initiate this process. Please note that Smartsheet does not accept customer paper BAAs. Rather, Smartsheet requires the use of its BAA because, like other cloud-service providers, Smartsheet has adopted a shared responsibility model as a means for addressing HIPAA’s strict compliance obligations. This relationship dynamic is taken into account within Smartsheet’s BAA as a means for enabling parties to meet their respective HIPAA obligations when PHI is used within the Subscription Services. For more information on the shared responsibility model and Smartsheet's privacy and security practices generally, please be sure to review our HIPAA Help Article and visit our Trust Center.

This HIPAA Business Associate Agreement (“BAA”) is incorporated into and forms a part of the agreement between Smartsheet Inc. (“Smartsheet”) and the undersigned customer (“Customer”) that governs Customer’s access to and use of the Subscription Services (“Agreement”). This BAA is effective as of the date of the last signature below (the “BAA Effective Date”).

1. Applicability. Subject to the terms of the Agreement, this BAA sets forth each Party’s respective obligations under HIPAA regarding the Subscription Services. Customer assumes all responsibility for ensuring that its use of the Subscription Services is in accordance with its obligations under HIPAA, the Agreement, and this BAA. The Subscription Services’ features and functionality necessary for Customer to meet its HIPAA obligations are only available under Enterprise plans of the Subscription Services (but excluding Legacy Enterprise). Therefore, Customer must only upload or submit Customer PHI under an Enterprise Plan. If Customer downgrades from an Enterprise plan, Customer will remove any PHI previously uploaded or submitted to the Subscription Services prior to the downgrade. Further details can be found in Smartsheet’s HIPAA Help Article.

2. Definitions. Capitalized terms not defined herein have the meaning given in the Agreement. The following terms shall have the meanings as defined in HIPAA: “Breach,” “Business Associate,” “Covered Entity,” “Designated Record Set,” “Individual,” “Protected Health Information (PHI),” “Required By Law,” “Security Incident,” “Subcontractor,” “Unsecured PHI,” and “Workforce.”

“Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to the online Services by Customer or Users and is processed by Smartsheet on behalf of Customer.

“Customer PHI” means PHI contained within Customer Content.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, including the HITECH Act.

“HIPAA Help Article” means the informational article published by Smartsheet at help.smartsheet.com/articles/2476526 which provides information relevant to the functionality available to Customer for Customer to configure and use the Subscription Services consistent with Customer’s obligations under HIPAA.

“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of Division A and Title IV of Division B of the American Recovery & Reinvestment Act of 2009, and the regulations thereunder.

“Parties” or “Party” means Customer and/or Smartsheet as applicable.

“Secretary” means the Secretary of the U.S. Department of Health and Human Services.

“Security Rule” means 45 CFR Part 160 and Subparts A and C of Part 164.

“Subscription Services” means the subscription-based online services and applications that are provisioned or controlled by Smartsheet. For the purposes of this BAA, Free Services and services and applications provided by third-parties, including Partner Apps, are not part of the Subscription Services and Customer is responsible for determining and implementing appropriate measures for the use of services and applications consistent with Customer’s obligations under HIPAA.

“User” means any individual permitted or invited by Customer or another User to access and use the Subscription Services available to Customer under an Order and the terms of this Agreement.

3. Roles of the Parties.

3.1 The Parties agree that, with respect to this BAA:

3.1.1 Smartsheet is the Business Associate when Customer qualifies as a Covered Entity and engages Smartsheet to perform certain functions or activities on behalf of Customer that involve Smartsheet receiving, maintaining, or transmitting Customer PHI via the Subscription Services; and
3.1.2 Customer is the Business Associate and Smartsheet is the Subcontractor when Customer is engaged to perform certain functions or activities on behalf of a third-party qualifying as a Covered Entity or Business Associate (each, a “HIPAA Third Party”) that involve Smartsheet receiving, maintaining, or transmitting the HIPAA Third Party’s PHI via the Subscription Services as Customer PHI.

4. Smartsheet.

4.1   Smartsheet will not use or disclose Customer PHI other than as permitted or required by this BAA or as Required by Law.

4.2   Smartsheet will use appropriate safeguards to comply with the Security Rule and to prevent use or disclosure of Customer PHI other than as provided for by this BAA.

4.3   Smartsheet will provide written notice to Customer of a Breach or Security Incident (collectively referred to as a “Reportable Incident”) of which it becomes aware without undue delay. Notification will be sent to Customer pursuant to the notification requirements in the Agreement.

4.3.1 Smartsheet will investigate and, as necessary, mitigate or remediate a Reportable Incident in accordance with Smartsheet’s Reportable Incident policies and procedures (“Breach Management”).
4.3.2 Smartsheet will provide Customer with information available to Smartsheet through its Breach Management, including the nature of the incident, specific information disclosed (if known), and any mitigation efforts or remediation measures (“Breach Information”), to allow Customer to comply with its obligations under HIPAA as a result of a Reportable Incident.

4.4 Smartsheet will ensure that its Subcontractors and Workforce engaged to perform Smartsheet’s obligations under this BAA that involve Customer PHI are bound by statutory obligation or a written agreement that includes appropriate provisions for receiving, maintaining, transmitting, or otherwise processing Customer PHI and is substantially as protective of Customer PHI as this BAA. Smartsheet is responsible for the acts and omissions of its Subcontractors and Workforce in relation to Smartsheet’s obligations under this BAA.

4.5 Smartsheet will make Customer PHI in a Designated Record Set available to Customer via the Subscription Services in order for Customer to comply with its obligations to Individuals, including access, amendment, and accounting of disclosures of Customer PHI. Smartsheet will notify Customer in writing without undue delay of any confirmed requests Smartsheet receives directly from an Individual relating to Customer PHI. Customer will be solely responsible for identifying the relevant Designated Record Set and PHI and for complying with any request made by Individuals.

4.6 To the extent Required by Law, and subject to applicable attorney-client privileges and contractual obligations, Smartsheet will make its internal practices, books, and records concerning the use and disclosure of Customer PHI received from Customer or created or received by Smartsheet on behalf of Customer, available to the Secretary for the purpose of the Secretary determining compliance with the HIPAA Rules.

5. Customer.

5.1 Customer represents and warrants, on behalf itself and its Users, that it has all rights, permissions, and consents necessary to: (a) submit all Customer PHI to the Subscription Services; and (b) grant Smartsheet the limited rights to process Customer PHI as set forth herein.

5.2 Customer represents and warrants that Customer and its Users will comply with federal and state laws applicable to use or disclosure of Customer PHI, including HIPAA, in connection with the Subscription Services.

5.3 Customer will not use the Subscription Services to transmit PHI to or from a third-party except where Customer has entered into a separate HIPAA business associate agreement with such third-party. Smartsheet has no obligation to protect PHI under this BAA to the extent such PHI is created, received, maintained, or transmitted outside of the Subscription Services.

5.4 In connection with Customer’s use, management, and administration of the Subscription Services and its Users, Customer (and not Smartsheet) is responsible for: (a) periodically reviewing the HIPAA Help Article, which may be updated from time to time to account for changes in applicable law, reflect process improvements, or updated practices; (b) independently assessing, implementing, and enforcing available security configuration settings it deems necessary within the Subscription Services to support its compliance with HIPAA; and (c) managing which Users are authorized to create, receive, maintain, or transmit (including through sharing or distribution) Customer PHI.

5.5 Customer will notify Smartsheet of any restrictions on the use or disclosure of Customer PHI that Customer has agreed to, including, if applicable, restrictions for which Customer must agree to, that may affect Smartsheet’s performance of its obligations under this BAA.

6. Permitted Uses and Disclosures.

6.1 Smartsheet may use and disclose Customer PHI: (a) as Required By Law; (b) as requested by Customer in writing or as allowed by Customer via the Subscription Services’ access controls; or (c) as specified in the Agreement or to prevent or address technical problems with the Services or violations of this BAA or the Agreement.

6.2 Customer agrees to limit the amount of Customer PHI it uploads or submits to the Subscription Services consistent with such requirements under 45 CFR § 164.502(b). Smartsheet agrees to limit its use or disclosure of Customer PHI to the minimum amount allowed under this BAA.

6.3 Notwithstanding the foregoing permitted uses and disclosures, Smartsheet will not use or disclose Customer PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer, and Customer will not request any such violative use or disclosure by Smartsheet.

7. Term and Termination.

7.1 This BAA will terminate upon the earlier of: (a) a permitted termination as set forth herein; (b) the expiration or termination of the Agreement; or (c) the execution of a new Business Associate Agreement that supersedes this BAA.

7.2 Upon expiration or termination of the period of authorized access and use of the Subscription Services, Smartsheet will return, allow read-only access to, or render unrecoverable Customer PHI, if any, according to the terms and conditions of the Agreement; provided that Smartsheet may retain Customer PHI contained in an archived computer system backup made in accordance with Smartsheet’s legal and financial compliance obligations or security and disaster recovery policies and procedures. Any such retained Customer PHI will remain subject to the terms of this BAA and the applicable Agreement.

7.3 A material breach of this BAA by either Party constitutes a material breach of the Agreement. In the event that Customer’s notice under Section 5.5 limits Smartsheet’s ability to process Customer PHI as set forth herein or Customer agrees to or must abide by restrictions or any other limitations on such ability, Smartsheet shall be permitted to terminate the Agreement without penalty by giving Customer five (5) business days’ written notice. Additionally, Smartsheet may suspend or terminate Customer’s use of the Subscription Services if it is made known to Smartsheet that Customer is not adequately protecting Customer PHI in accordance with Customer’s obligations under Section 5, which may include not making use of available features discussed in the HIPAA Help Article.

8. General.

8.1 Amendment; Waiver. Unless otherwise expressly stated herein, this BAA may be modified only by a written agreement executed by an authorized representative of each Party. The waiver of any breach of this BAA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach.

8.2. Severance. If any provision of this BAA is held to be unenforceable, then that provision is to be construed either by modifying it to the minimum extent necessary to make it enforceable (if permitted by law) or disregarding it (if not permitted by law), and the rest of this BAA is to remain in effect as written. Notwithstanding the foregoing, if modifying or disregarding the unenforceable provision would result in failure of an essential purpose of this BAA, the entire BAA will be considered null and void.

8.3. Order of Precedence. Regarding the subject matter of this BAA, in the event of any conflict between this BAA and any other written agreement between the Parties (including the Agreement), this BAA will govern and control. Any business associate agreements that may already exist between Parties are superseded and replaced by this BAA in their entirety.

8.4 Notices. Unless otherwise provided for in this BAA, the Parties will provide notices under this BAA in accordance with the Agreement, provided that all such notices may be sent via email.

8.5 Governing Law and Jurisdiction. Except to the extent preempted by HIPAA, this BAA is governed by the laws stipulated in the Agreement and the Parties to this BAA hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this BAA.

8.6. Enforcement. Unless otherwise required by law: (a) only Customer will have any right to enforce any of the terms of this BAA against Smartsheet; and (b) Smartsheet’s obligations under this BAA, including any applicable notifications, will be only to Customer.

8.7. Liability. As between the Parties to this BAA, each Party’s liability and remedies under this BAA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.

8.8. Variations to HIPAA. If any variation is required to this BAA as a result of a change in HIPAA, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this BAA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Subscription Services and Smartsheet’s business operations.

8.9 Reservation of Rights. Notwithstanding anything to the contrary in this BAA: (a) Smartsheet reserves the right to withhold information the disclosure of which would pose a security risk to Smartsheet or its customers or is prohibited by applicable law or contractual obligation; and (b) Smartsheet’s notifications, responses, or provision of information or cooperation under this BAA are not an acknowledgement by Smartsheet of any fault or liability.

Last Updated: November 18, 2021