Airtable is a cloud collaboration service that can automate and speed up business processes such as marketing campaigns. Many healthcare organizations use such solutions to create and share information in easy-to-use databases. To do so, however, those within the healthcare industry need to work with HIPAA compliant companies.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Currently, Airtable does not offer a BAA and therefore cannot be HIPAA compliant.
What is Airtable?
Airtable is a cloud-based productivity tool that directly competes with Microsoft Excel and Google Sheets. As a spreadsheet-database hybrid, it has the features of a relational database with the look and feel of a traditional spreadsheet. Users can create and share information within these documents, and staff members can use resources updated in real-time.
Examples of healthcare-related activities that can use such databases include:
- Up-to-date marketing campaigns
- Patient feedback
- Product or service launches
- Payment tracking
Airtable lets users store and organize data and integrate the information with other apps such as Slack, Google Drive, and Trello. With Airtable Connected Apps Platform, teams can also build powerful, flexible apps to share customizable data.
SEE ALSO: Data management in healthcare systems
Is Airtable a business associate?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Airtable and its ability to be HIPAA compliant. Airtable is a business associate of a healthcare organization if it is storing, processing, or transmitting PHI in the cloud.
RELATED: How to know if you're a business associate
Airtable and the BAA
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. We first wrote about Airtable and HIPAA compliance on March 13, 2019. At that time, we found a web page stating that Airtable did not offer a BAA but was considering it.
An updated (September 21, 2022) web page on HIPAA and FERPA compliance says that “Airtable does not sign HIPAA [BAA] at this time.” The page further adds, “We work with a number of companies across medical industries who do use Airtable to manage business, research and other processes, but refrain from storing [PHI] in doing so.”
A community discussion web page confirmed on July 5, 2023, that Airtable “has not been certified for HIPAA compliance.”
Airtable, the cloud, and data security
In 2023, we created a HIPAA compliant checklist for cloud services to address its increasing use within healthcare. The cloud offers flexibility and convenience but also increases an organization's attack surface. Many cloud tools are available, but not all meet HIPAA requirements of encryption, data backup, and access controls.
Airtable offers various security features listed on its trust & security page. Features include password-protected share links, visual activity fields, two-factor authentication, and security assertion markup language (SAML)-based single sign-on (SSO). Airtable cybersecurity also employs customizable permissions where a user controls who can see and modify a workspace.
Ultimately, Airtable appears to be a secure platform though its privacy policy does not cover the protection, collection, or storage of PHI.
Is Airtable HIPAA compliant?
The BAA is a necessary component of HIPAA compliance and Airtable does not currently offer a BAA. While the company states that healthcare organizations use Airtable by refraining from storing PHI, that does not necessarily mean the data is safe. Conclusion: Airtable cannot be HIPAA compliant.
Understanding HIPAA compliance
Healthcare providers know that clear and efficient information systems are necessary to run successful healthcare organizations. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:
- Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
- Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
- Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
- Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.
Kapua Iao
