Is Airtable HIPAA Compliant?

by

Airtable is HIPAA compliant inasmuch as one Airtable subscription plan includes limited services that support HIPAA compliance. The vendor also offers a Business Associate Agreement to covered entities and business associates who can adapt their use of the business management platform to accommodate the limited services.

Airtable is a customizable business management platform that connects siloed databases to help better manage data. By better managing data, the platform enables more accurate data analyses to support collaborations efforts and accelerate decision making. Airtable can also double up as Customer Relationship Management software due supporting a large number of integrations.

For covered entities and business associates in the healthcare industry, Airtable could be used – for example – to automatically synchronize appointment schedules and workforce availability. The platform could also be used to record patients’  healthcare journeys and alert care teams when specific triggers are activated. However, if PHI is disclosed to the platform when it is used in these ways, it would be necessary for Airtable to be HIPAA compliant and for a Business Associate Agreement to be in force.

Is Airtable HIPAA Compliant?

Rather than being HIPAA Compliant, Airtable supports HIPAA compliance for subscribers to its Enterprise Scale plan. However, the support is limited. For example, PHI can only be created or stored in “Records” (similar to Excel Cells) in “Bases” (similar to Excel Databases) and Records that contain PHI cannot be emailed via an automated function – which reduces the benefits of the platform’s automation capabilities.

In addition, it is not permitted to use or disclose PHI to Airtable AI, members of the workforce cannot disclosure PHI to Airtable’s Customer Support team (verbally or digitally), and covered entities cannot use Airtable to build a patient portal if the patient portal will collect or store PHI, or disclose PHI to another capability or integrated program. These restrictions limit the potential uses for Airtable in healthcare.

Making Airtable HIPAA compliant may also be complicated due to the complexity of the admin configurations required to make Airtable HIPAA compliant; while, if third party programs are integrated with the platform, the third party programs must also be HIPAA compliant. Finally, because HIPAA compliance is only supported on the Enterprise Scale plan, many smaller covered entities may find they are paying premium prices for services included in the plan they will never use.

Airtable’s Business Associate Agreement

Rather than sign customers’ Business Associate Agreements, Airtable offers a one-size-fits-all Agreement for subscribers to the Enterprise Scale plan who identify as HIPAA covered entities or business associates. Airtable’s Business Associate Agreement meets the requirements of HIPAA and is similar to one-size-fits-all Agreements offer by other software vendors. Potential customers can obtain a copy of the Agreement to review before committing to a subscription.

In Airtable’s favor, covered entities and business associates can subscribe to more than one type of plan. This means customers can subscribe to both an Enterprise Scale plan covered by the Business Associate Agreement for businesses activities that require uses and disclosures of PHI, and a separate Business or Teams plan for business activities that do not require uses and disclosures of PHI. (Note: Both the Business and Teams plans contain fewer capabilities than the Enterprise Scale plan).  

Additionally, there is plenty of information about making Airtable HIPAA compliant and using the platform in compliance with HIPAA on the Airtable website. Best practices include enabling SSO login, scheduling reports to monitor user access, and automating alerts for unusual user activity. Covered entities and business associates can further protect PHI maintained on the platform by activating Airtable’s Data Loss Prevention and Enterprise Key Management features.

Free Trials Available to Interested Parties

Any individual or organization that is interested in finding out more about Airtable is invited to take a free trial of the business management platform. Although the free trial version of the platform does not support HIPAA compliance, the opportunity will give covered entities and business associates the chance to review Airtable’s capabilities and determine if it is an appropriate solution for their needs.

Airtable is also happy to provide advice on configuring the platform to support HIPAA compliance and training members of the workforce how to use Airtable in compliance with HIPAA. However, because of the limitations of the Airtable HIPAA compliant version of the platform, covered entities and business associates are advised to speak with an independent compliance professional before committing to a subscription.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]