Last Updated: April 15, 2024
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law that establishes standards to protect the privacy and security of protected health information. This includes requirements to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).
Maintaining HIPAA compliance, and ensuring the security of ePHI, is a joint commitment between customers and Airtable. Customers subject to HIPAA requirements can use Airtable in support of compliant workflows; however, customers acting as covered entities or business associates have an obligation under HIPAA, independent of Airtable, to implement the appropriate administrative, physical, and technical safeguards to ensure the security of ePHI.
Airtable provides a solution that empowers customers to build and manage bespoke workflows in a secure and compliant manner. Below, we have provided additional information to help customers ensure their use of Airtable supports their efforts to maintain HIPAA compliance.
Enterprise Scale Customers may be interested in executing Airtable’s Business Associate Agreement (BAA) if they are subject to HIPAA and intend to store or process ePHI in their Airtable environment. Airtable’s BAA is a contract between Airtable and a customer acting as a covered entity or business associate under HIPAA, which governs how a customer’s ePHI in the Airtable platform is protected in compliance with HIPAA. It is the customer’s responsibility to determine whether a BAA is required for their use case. To begin this process or request additional information, please contact a member of your account team. Enabling HIPAA compliance for your organization’s usage of Airtable and the execution of a BAA is only available to customers on an Enterprise Scale plan. For more information and to adjust your organization’s plan, please reach out to your sales representative. Please note that if you decide to later downgrade your plan, you will no longer be covered by the executed BAA.
For a customer’s use of Airtable to be covered by the Airtable BAA, the customer and customer’s permitted users must comply with the following requirements:
Automations | Airtable Automations allow users to automate workflows, including outgoing email. When delivering automated emails, Airtable will send email over a transport layer security (TLS) encrypted channel whenever possible; however, if the receiving email server does not support TLS, automated emails will send in cleartext.
Refrain from including ePHI directly in the body or subject line of the email. Airtable cannot guarantee that the email content will be encrypted if the receiving email server does not support TLS.
Be mindful of recipients, when configuring automated messages.
Records | ePHI must only be stored in Records within Airtable Bases or Interfaces. When using Airtable, refrain from including ePHI in other locations, such as in Base access requests, Base descriptions, and in Base, Table, Interface, and Workspace names.
Sending Records | Airtable functionality allows users to send records via outgoing email (details can be found here). Do not use the send record functionality within Airtable if your record contains ePHI.
Customer Support | When contacting Airtable, such as when using Customer Support, do not include ePHI in screenshots or support tickets. Refrain from sharing ePHI with Airtable representatives on a call, email, or other digital communication such as Slack.
Integrations | Customers may choose to integrate their Airtable instance with other systems and are responsible for ensuring such integrations are implemented in compliance with any applicable HIPAA requirements. When configuring integrations, be aware that Airtable can not ensure and is not responsible for the security or privacy of data, including ePHI, when it leaves the boundaries of the Airtable environment.
Airtable AI | Do not use ePHI with Airtable AI. Please note that Airtable AI is an opt-in feature that is only enabled if a customer purchases it and turns it on.
Use Cases | Do not use Airtable as a patient portal at this time.
The following table demonstrates how Airtable supports our customers’ efforts to meet HIPAA Security and Privacy Rules.
HIPAA Standard
Airtable Functionality
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. [164.312 (a) (1)]
Password and domain-restricted shares: Restrict your shared view and base links by password or email domain.
Field and table editing permissions: Limit who can edit values in a specific field, and who can add or remove records from a table.
Granular interface permissions: Control who can access data by sharing your interface without sharing the underlying base.
User groups: Create and manage groups of users with which you can easily share bases, workspaces, and interfaces.
For more information on Airtable permissions, please see: here.
Assign a unique name and/or number for identifying and tracking user identity. [164.312 (a) (2) (i)]
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. [164.312 (a) (2) (iii)]
SAML-based single sign on (SSO): Give organization members access to Airtable through an identity provider (IdP) of your choice. We work with providers including Okta, Microsoft Azure, OneLogin, Google, and more.
SCIM user provisioning: Provision and deprovision users centrally via SCIM from Okta, Microsoft AD, and other providers.
SCIM-synced user groups: Add and remove users from user groups centrally via SCIM from Okta and Microsoft AD.
For more information on SSO and SCIM, please see here.
Implement a mechanism to encrypt and decrypt electronic protected health information. [164.312 (a) (2) (iv)]
Enterprise Key Management (EKM): Get additional control over the data you store in Airtable and visibility into how it’s accessed using your own encryption keys. Available as an add-on for Enterprise Scale customers. For additional information on EKM, please see here.
Data transmitted between customers and Airtable’s service is encrypted using using industry standardsTLS 1.2 or higher.
Data at rest is encrypted using industry standard AES 256-bit encryption within Airtable’s systems.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. [164.312 (b)]
Enterprise Hub: Get central visibility and control over your organization’s users and data with Airtable’s full admin experience, standardized security policies, tiered admin roles, and more. For additional information on Enterprise Hub, please see here.
Enterprise audit logs: Airtable Enterprise audit logs allow admins to monitor activity within their organizations. Audit logs are accessible through your reports' page in admin panel or programmatically through Airtable's API. For additional information on Audit Logs, please see here.
Admin reports: See information about share links, workspaces, bases, users, user activity, and more.
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. [164.312 (c) (1)]
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. [164.312 (a) (2) (ii)]
Airtable maintains high availability through multiple availability zones, cross-region replication, and backups.
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. [164.312 (e) (1)]
Domain management: Verify and manage your organization’s domains through DNS in the admin panel.
Data loss prevention (DLP): Use our DLP APIs to integrate with third-party vendors and take action on sensitive data your users might add to Airtable. For additional information on DLP, please see here.
Implement policies and procedures to address the final disposition of electronic protected health information, and the hardware or electronic media on which it is stored. [164.310 (d) (2) (i)]
Custom retention policies: Create policies to manage retention timeframes and protect data by deleting inactive bases in your organization. For additional information on retention policies, please see here.
eDiscovery: Give admins the ability to programmatically export existing base content and comments. For additional information on eDiscovery, please see here.
Airtable maintains data backups and a revision history subject to the chosen plan. For additional information on Airtable plan tiers, please see here.
Protecting customer data is core to Airtable. We take privacy and security into consideration in all aspects of the platform and supporting infrastructure and are committed to meeting global security and privacy requirements. For additional information, please visit our Trust page.