monday.com and HIPAA

What is HIPAA?

The Health Insurance Portability and Accountability (HIPAA) act is designed to help protect people’s healthcare data. Organizations such as hospitals, doctors' offices, health plans or just any company dealing with protected health information (PHI) are required to be HIPAA-compliant. This may also extend to companies that work with these businesses and come into contact with PHI on their behalf.

monday.com is now HIPAA compliant and we thought it would be a good time to update you guys with the most frequently asked questions about this regulation. 😊

 

A few key terms before starting

Protected Heath Information - PHI

Protected Health Information (PHI) is healthcare data relating to someone and collected by a healthcare provider, employer or plan. It includes names, social security numbers, phone numbers, medical history, current medical condition, test results and more. PHI is the content that HIPAA aims to protect and keep private.

Covered entity

A covered entity is anyone who provides treatment, payment, and operations in healthcare. They are doctors, hospitals, pharmacies, insurance companies and more. These covered entities are responsible to for the privacy and security of health information.

Business associate

A business associate is anyone who has access to patients' information whether it is directly, indirectly, physically or virtually. A business associate does not work under the covered entity’s workforce, but instead performs some type of service on their behalf (i.e. a lawyer, a phone company etc...). A business associate is subject to HIPAA/HITECH rules.

Business associate agreement (BAA)

A BAA is a contractual assurance from the business associate to the covered entity that they follow HIPAA's requirements. This agreement must be in place before the transfer of PHI from the covered entity to the business associate. You can read our BAA here.

 

Which plan is HIPAA available on?

HIPAA is available for our Enterprise plan. Please note that if you are on this plan and then downgrading to another plan, you will not be under the HIPAA compliance program anymore. 

You can reach out to a customer support agent or to your account manager to set up your account as HIPAA compliant. This feature will only be granted to Enterprise plans with 25 users or more. 

 

Note:  The broadcast feature is disabled to prevent accidental disclosure of Protected Health Information (PHI)

 

How to set up a BAA with monday.com?

In order for your account to be HIPAA compliant, you must sign on the BAA and configure your account as HIPAA. You can sign a BAA electronically in just a few steps:

  • Click on your avatar at the bottom right of your screen
  • Select Admin
  • Click on Security and then choose Compliance
  • Click on the BAA link and then review and accept the BAA
2.png
Once done, click on "activate HIPAA" and you are all set. 
 

How to activate/deactivate the HIPAA?

To activate the HIPAA follow the below steps:
  • Click on your avatar at the bottom right of your screen
  • Select Admin
  • Click on Security and then Compliance
  • Click on "activate"

2.png

To deactivate the HIPAA, please reach out to us at [email protected].  

Are the monday.com mobile apps HIPAA compliant? 

Yes, our mobile apps are HIPAA compliant starting from version 3.331 for iOS and version 3.190715 for Android.
 
 

A few tips to keep your data like PHI secured

We want to make it as easy as possible for you to learn how to keep your account secure and meet your legal requirements. We have put together a few tips that you should consider when configuring your accounts.
 

1. Strengthen authentication

We recommend using one of these two security features to add a layer of protection to your monday.com account:

 

2. Conduct regular access reviews

To ensure that any sensitive data in your monday.cm account can only be accessed by appropriate people, we recommend to frequently review the list of your members. To learn how to access this list, check out this article.

 

3. Monitor for unusual activity

As an admin you have the ability to control the sessions for all account users through the audit log.

The audit log allows you to see when the users have last logged into the account, what device they used, and what their IP address for the session was. In case of any suspicious activities, you can activate the Panic Button.

 

4. Evaluate third party apps

Our Integrations allow you to seamlessly connect monday.com to external platforms and turn your monday.com account into your personal work hub. While these third-party apps can be great complements to your account, it’s important to remember that they’re not part of our included services. If you want to keep the HIPAA compliance, you must ensure that any third party app or service you use will also be HIPAA compliant. 

 
If you have any further questions, please feel free to contact Customer Success at [email protected]