- 10 Dec 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Understanding HIPAA at Airtable
- Updated on 10 Dec 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Enterprise Scale access only | |
Admins - Can request HIPAA safeguards for their organization and view HIPAA settings admin panel settings | |
Platform(s) | Web/Browser, Mac app, and Windows app |
Related reading |
Overview of HIPAA at Airtable
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a regulation issued by the U.S. Department of Health and Human Services ("HHS") and a national standard to protect the security and privacy of protected health information (PHI). HIPAA applies to covered entities and business associates and aims to protect individuals' rights by controlling how their health information is used. Businesses that are subject to HIPAA can use Airtable to support HIPAA-compliant work management.
Key terminology | Definition |
---|---|
Protected Health Information (PHI) | Protected Health Information (PHI) refers to any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity in relation to the provision of healthcare, payment for healthcare services, or healthcare operations. This information includes a wide range of data, such as medical records, health insurance information, and other personal health information, all of which are protected under the HIPAA Privacy Rule. PHI must be safeguarded by covered entities to ensure the privacy and security of individuals' health information. At Airtable, since information is electronically, not physically, shared, this type of information is electronic Protected Health Information, or ePHI. |
Covered entities | Covered entities, as defined by HIPAA, are specific organizations or individuals that are subject to the regulations outlined in the HIPAA Privacy Rule. These entities include healthcare providers, health plans, and healthcare clearinghouses that transmit any health information in electronic form. Covered entities are required to comply with HIPAA regulations to ensure the privacy and security of PHI that they create, receive, maintain, or transmit. This compliance includes implementing safeguards to protect PHI, providing individuals with their privacy rights regarding their health information, and adhering to standards for the use and disclosure of PHI. |
Business associate | A business associate, in the context of HIPAA, refers to any individual or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. |
Business Associate Addendum (BAA) | A BAA is a contract required by HIPAA that formalizes the relationship between a covered entity (such as a healthcare provider or health plan) and a business associate. This agreement outlines the responsibilities and obligations of the business associate regarding the protection and handling of Protected Health Information (PHI). It specifies how PHI will be safeguarded, the permitted uses and disclosures of PHI, and the actions the business associate must take in the event of a data breach. By signing a BAA, both parties commit to complying with HIPAA regulations and ensuring the privacy and security of PHI. Airtable offers a BAA in its Health Information Exhibit for Enterprise Scale customers acting as a covered entity or business associate under HIPAA, which governs how ePHI in the Airtable platform is protected in compliance with HIPAA. |
Enabling HIPAA at your organization
Contact your Airtable account executive to begin the BAA process.
To speed up the process, if your organization contains multiple org units, it’s helpful to gather a list of which org units will need to be HIPAA enabled. To identify the individual Account (org unit) IDs you want to enable HIPAA compliance on:
Navigate to the Organizations tab in admin panel. Super admin permissions are required.
Under the org unit name you will see its Account ID, starting with "ent...". Copy this account ID.
Repeat this process for each org unit requiring HIPAA enablement to create a list to share with our account team.
Once you’ve identified the org unit(s) needing to be HIPAA enabled, your account executive will help guide you through the process of signing the BAA.
There is no setting that can be adjusted by admins at your organization, instead, once the BAA has been signed and processed, Airtable will initiate an internal process to turn this feature on for your organization. If you want to add more org units in the future, then you’ll need to start again at step 1 above.
Note
Organizations utilizing Enterprise Hub - The BAA will apply to any organization units for which HIPAA is enabled as indicated in the admin panel for that org unit.
Organizations not utilizing our Enterprise Hub feature - The BAA will apply to your entire organization so long as the admin panel indicates that HIPAA is enabled.
Identifying HIPAA compliance at your org
Click the Settings option on the left sidebar.
This will reveal the “Security & compliance” tab. Scroll down the page until you find the “Compliance” section.
Under the “HIPAA” section you’ll see whether HIPAA is enabled at your organization (non-Hub) or whether HIPAA is enabled for all, some, or none of your org units (Hub).
Organizations utilizing Enterprise Hub can click the dropdown to see which org units are and are not HIPAA enabled.
Maintaining HIPAA compliance at your organization
Admins should review user access in admin panel on a regular basis.
Admins should download reports to monitor their organization’s Airtable use.
Admins should also ensure that 3rd party integrations are purposely allowed based on your HIPAA assessment or fully disabled.
If you haven’t already done so, enable SSO login processes for your organization’s Airtable instance.
Your organization’s use of Airtable must comply with the requirements listed in the Health Information Datasheet.
FAQs
Will enabling HIPAA at my organization affect the way that Airtable functions?
No, general product behavior within Airtable at your org will not change. Instead, enabling HIPAA at your organization will result in stricter standards (discussed in the BAA) that Airtable will ensure when interacting with your company in Sales and Support interactions.
What types of healthcare data does Airtable collect?
The types of ePHI that a customer may choose to input into Airtable are entirely up to that customer, the usage restrictions in its service agreement, and any terms specified in the BAA and Airtable’s Health Information Exhibit.
My organization isn’t on the Enterprise Scale plan, can we request the HIPAA compliance feature?
We only offer HIPAA compliance features for our Enterprise Scale customers. Contact our sales team if you are interested in learning more about the Enterprise Scale plan and its benefits.
My organization is currently using AI features in Airtable, how can I turn off AI in workspaces where we are storing ePHI?
Your organization’s admins can learn more about managing AI settings in admin panel here.
Is Airtable compliant with the California Confidentiality of Medical Information Act (CMIA)?
Please see Airtable’s Health Information Datasheet for information on how Airtable supports its customers’ compliance obligations under CMIA, and to sign Airtable’s Health Information Exhibit, which includes a BAA and a CMIA Addendum.
What if I am interested in enabling CMIA for my organization?
If your organization is interested in enabling CMIA, similar steps can be followed as noted above for enabling HIPAA. Please reference the Health Information Datasheet and/or reach out to Airtable for more information about CMIA, how Airtable supports our customers with CMIA compliance, and how you can start the Health Information Exhibit signing process.