Healthcare organizations may not realize that the work management providers that they use need to be HIPAA compliant.
Work management providers are considered business associates if they contain protected health information (PHI). Anytime PHI is stored, transited, or accessed, it needs the proper safeguards in place to ensure adequate protection against unauthorized access.
As a business associate, work management providers have the same obligations as covered entities to protect PHI from cybercriminals or negligent employees. All business associates are required to sign a business associate agreement (BAA) that outlines their responsibilities and duties when they handle PHI.
Not all work management providers are willing to participate in a BAA though. They may also not even have the data security features to properly safeguard data under HIPAA guidelines.
Covered entities will need to do their research and configure security settings to meet HIPAA security requirements. The cost of working with an unprotected business associate may lead to consequences like data breaches, corrective action plans, and heavy fines.
Work management providers best practices
Covered entities should consider the following best practices when determining which work management provider is best for them.
- Understand what constitutes PHI
- Ensure PHI use is appropriate for business purposes
- Only partner with vendors that will sign a BAA
- Leverage privileged access management to prevent tasks with PHI getting assigned to an unauthorized employee
- Vender should encrypt data at rest and in transit
Now let’s review some popular work management providers and if they meet HIPAA security guidelines.
Asana is a cloud service that lets a team collaborate and communicate within the platform. In terms of HIPAA compliance, the company doesn’t offer a BAA to healthcare providers. It also doesn’t have the necessary safeguards to protect PHI. Asana is not HIPAA compliant for those reasons.
Beesbusy is a work management provider that tracks employee time and the overall project process. The company website doesn’t mention any willingness to sign a BAA with covered entities, and it also doesn’t discuss what safeguards are in place to protect data. Beesbusy doesn’t meet HIPAA compliance standards.
ClickUp is another work management provider that can track project progress and automate tasks. The company does offer a BAA but only to covered entities on the highest-tier plan. Any other plan is not eligible for the BAA. ClickUp has several data security features including encryption at rest and in transit, two-factor authentication, and privileged access management. ClickUp can be HIPAA compliant.
Monday.com connects employees with workplace processes and tools. Covered entities can sign a BAA with Monday.com if they sign up for the Enterprise plan. All other plans can’t sign a BAA. Monday.com has numerous data security features including encryption at rest and in transit, password policies, two-factor authentication. Monday.com can be HIPAA compliant.
Nifty can manage projects, tasks, and communication. But the company website doesn’t mention it is willing to participate in a BAA. The Terms of Service also openly admit that content “may be transferred unencrypted.” Without another alternative safeguard in place, Nifty doesn’t appear to meet HIPAA security standards. Nifty isn’t HIPAA compliant.
Smartsheet is used for managing calendars, projects, and other work tasks. Smartsheet does offer a BAA but only to users on the Enterprise plan. Other lower-tiered plans aren’t eligible for signing a BAA. Smartsheet has data security features including TLS encryption, regular security testing, and firewalls. Smartsheet can be HIPAA compliant.
Trello is another work management provider that lets employees view tasks and progress on boards. Trello nor its acquirer, Atlassian, mentions any willingness to sign a BAA. Even if Trello does have the security features to protect PHI, it can’t be a HIPAA compliant provider without a BAA in place. Trello is not HIPAA compliant.
What are the best HIPAA compliant work management providers?
Based on the work management providers that were reviewed, a healthcare provider might consider choosing one of the following:
All 3 providers are willing to sign a BAA on select plans. Healthcare organizations are ultimately responsible for ensuring that business associates meet HIPAA security guidelines. Covered entities may want to research if they are able to configure security settings to ensure their HIPAA compliance needs are met.
Don’t forget to use HIPAA compliant email
Your work management provider isn’t the only service that needs compliance with HIPAA. Your emails also need to protect PHI. Email poses a big risk to your healthcare organization since human error can often lead to ransomware infecting your network.
Paubox Email Suite is a HIPAA compliant email security solution. It automatically encrypts all emails that your employees send. You can directly communicate with patients in their inbox which can improve patient engagement.
Our HITRUST CSF certified software automatically includes a BAA, regardless of which plan you choose to use.