monday.com logo
monday logo
Learning Resources by monday.com
Help Center
Tutorials and how-to guides for using monday.com
Academy
Interactive courses and webinars that will make you an expert
What’s new
Latest feature releases, improvements, and updates
Video Tutorials
Manage and collaborate on
team projects and tasks from
one place
API Documentation
Technical documentation that gives you the control
Get expert help
Hire a monday.com expert to optimize your workflows
Community
Become part of our community
Community forum
Learn with fellow monday.com enthusiasts
Local facebook communities
Join this community to find monday.com members near you
Global facebook communities
Join one of your most active social communities - the global monday group
Developer community
Share thoughts and questions with like-minded professionals who speak your language
Non Profit community
Give back to the community by working with a NGO or non-profit. Join our exclusive program
Support
Contact sales
Get started
What can we help you with?
  1. Support
  2. Profile and Admin
  3. Services & Policies
monday.com and HIPAA
    Was this article helpful?

    monday.com and HIPAA

    3 min read
    Guide

     

    Your team's privacy and security are one of our top priorities! We know that you put your trust into monday.com every day to keep your team's information secure. We want to assure you that responsible custodianship of your data is one of the core values of our company. That's why we offer HIPAA-compliant plans so that you can trust that your sensitive healthcare data is safe and secure in your monday.com account. 

     

    What is HIPAA?

    The Health Insurance Portability and Accountability Act (HIPAA) is designed to help protect people’s healthcare data. Organizations such as hospitals, doctors' offices, health plans, or companies dealing with protected health information (PHI) are required to be HIPAA-compliant. This may also extend to companies that work with these businesses and come into contact with PHI on their behalf.

     

    Here are some key terms you should know:

    • Protected Health Information - PHI

    Protected Health Information (PHI) is healthcare data relating to a patient and collected by a healthcare provider, employer, or plan. It includes names, social security numbers, phone numbers, medical history, current medical condition, test results, and more. PHI is the content that HIPAA aims to protect and keep private.

    • Covered entity

    A covered entity is anyone who provides treatment, payment, and operations in healthcare. Examples include doctors, hospitals, pharmacies, insurance companies, and more. These covered entities are responsible for the privacy and security of health information.

    • Business associate

    A business associate is anyone who has access to a patient's information whether it is directly, indirectly, physically, or virtually. A business associate does not work under the covered entity’s workforce but instead performs some type of service on their behalf (i.e. a lawyer, a phone company, etc...). A business associate is subject to HIPAA/HITECH rules.

    • Business Associate Agreement (BAA)

    A BAA is a contractual assurance from the business associate to the covered entity that they follow HIPAA's requirements. This agreement must be in place before the transfer of PHI from the covered entity to the business associate. You can read our BAA here.

     

    Is monday.com HIPAA-compliant?

    HIPAA is available on monday.com on our Enterprise plan. Please note that if you are on this plan and later downgrade to another plan, you will no longer be covered under the HIPAA compliance program anymore. This feature will only be granted to Enterprise plans with 25 users or more. 

     

    Note: On all HIPAA-compliant Enterprise plans, the broadcast feature is disabled to prevent accidental disclosure of Protected Health Information (PHI).

    Previously, the preview of files was also disabled for all HIPAA-compliant Enterprise plans since such service was performed through a third party sub-processor in the US Data region. As of April 19th, the preview of files is performed in-house and is therefore now also available to all our HIPAA-compliant Enterprise plans for all type of documents such as PDF, Powerpoint, Excel etc.

     

    How to activate/deactivate HIPAA with monday.com

    In order for your account to be HIPAA compliant, you must first accept the conditions for the Business Associate Agreement (BAA) and configure your account as HIPAA. You can sign a BAA electronically in just a few steps:

    • Click on your avatar at the bottom left of your screen
    • Select Admin
    • Click on Security and then choose Compliance
    • Click on the BAA link and then review and accept the BAA
    • Click "Activate HIPAA Compliance"
    Group_5__15_.png
    To deactivate HIPAA, simply click on "Deactivate HIPAA Compliance" from the same page:
    Group_6__9_.png
    Note: Once HIPAA is deactivated, all admins in the account will receive an email notifying them of this action.

     

    Redact content in email notifications about updates

    As we are constantly striving to provide you with options to enhance your account settings, we have added an additional feature that hides content in email notifications about updates. This means that when you’re mentioned in an update on a board and you receive an email notification alerting you to the tag, the specific content from the update will be hidden in your email notification. 

    In order to activate this feature, click on "Redact Content in Email & Reply Updates" once HIPAA has been activated in your account:

     

    CPT2207051053-1424x748.gif

     

    You will be required to click the “Reply in monday.com” button in the email and enter your account to see the actual content from the update:

    Screen_Shot_2022-07-07_at_14.33_1.png

     

    Is the monday.com mobile app HIPAA compliant? 

    Yes, our mobile app is HIPAA compliant starting from version 3.331 for iOS and version 3.190715 for Android.
     

    Additional data security options

    We have put together a few tips that you should consider when configuring your accounts.

     

    1. Strengthen authentication

    We recommend using one of these two security features to add a layer of protection to your monday.com account:

     

    2. Conduct regular access reviews

    To ensure that any sensitive data in your monday.com account can only be accessed by appropriate people, we recommend that you frequently review the list of your members. To learn how to access this list, check out this article.

     

    3. Monitor for unusual activity

    As an admin, you have the ability to control the sessions for all account users through the Audit Log.

    The Audit Log allows you to see when the users have last logged into the account, what device they used, and what their IP address for the session was. In case of any suspicious activities, you can activate the Panic Button.

     

    4. Evaluate third-party apps

    Our Integrations allow you to seamlessly connect monday.com to external platforms and turn your monday.com account into your personal work hub. While these third-party apps can be great complements to your account, it’s important to remember that they’re not part of our included services. If you want to keep the HIPAA compliance, you must ensure that any third-party app or service you use will also be HIPAA compliant. 

     

     


     

    If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.

    Lea Serfaty - Quality check

    Comments