Acceptable Usage Agreement

Introduction

Smartsheet at UMN is a flexible, secure platform for unifying collaboration, workflows, and content management in one place. Smartsheet at UMN is obtained through a contract with Smartsheet Inc. (https://www.smartsheet.com/) which includes security provisions giving UMN individuals a place for collaborating in a safe and secure manner.

Smartsheet Partnership

UMN’s contract with Smartsheet includes a Business Associate Agreement (BAA). This means individuals may use this service to store Protected Health Information (PHI) regulated by the federal Health Insurance Portability and Accountability Act (HIPAA). Complying with HIPAA’s requirements is a shared responsibility. UMN and Smartsheet work together to provide a collaboration environment that is as secure as possible for the types of data authorized to be stored. Individual users who share and store PHI in Smartsheet are responsible for complying with HIPAA safeguards, including:

Using and disclosing only the minimum necessary PHI for the intended purpose.
Obtaining all required authorizations for using and disclosing PHI.
Ensuring that PHI is seen only by those who are authorized to see it.
Obtaining all necessary data-sharing agreements for using and disclosing PHI.
Adhering to all relevant data use agreements, contracts, IRB policies, compliance conditions and local unit rules.

Who Can Use Smartsheet?

Accounts in the HST Smartsheet plan are available to all active students, staff, faculty, and sponsored accounts at the University of Minnesota, provided they conform with our enhanced security configurations and policies. Your department may already have a Smartsheet plan specific to your team or project. Please inquire with your supervisor, professor, or project lead for details.

Departmental accounts are not supported because login details are often shared across multiple individuals. Instead, we encourage departments to provision their team with individual unlicensed accounts. Contact Technology Help for a consultation if you think you need a departmental account solution.

Rules for Storing Protected Health Information in Smartsheet

The Smartsheet at UMN service is authorized for storage of Protected Health Information (PHI).

Users are responsible for using Smartsheet at UMN securely to store, collaborate or share restricted data, such as Protected Health Information (PHI). PHI is subject to federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA), that require you to exercise special care. Meeting the requirements below will help you store and share PHI data safely in Smartsheet at UMN and will reduce the risk of costly fines and penalties to yourself and your unit.

System Requirements

All users who login to Smartsheet will require Two Factor Authentication (2FA).
The security of information for academic, research, and administrative activities is important. The Two-Factor Authentication (2FA) service provides application owners with higher assurance that only authorized users can gain access to critical information, systems, and services. 2FA is part of a two-level authentication process. The first level (something you know) is the verification of the UMN AccessID and password. The second level (something you have) is a randomly generated passcode provided by the UMN 2FA service
Details on UMN's 2FA program can be found here: https://it.umn.edu/services-technologies/self-help-guides/duo-set-use-duo-security

User Requirements

Unit policies and restrictions might be more stringent than university policies.
- Users must follow local rules for file storage. Even though Smartsheet @ UMN meets regulatory safeguards and has been approved by UMN for the storage of PHI, your local unit may have more stringent rules regarding storage of PHI. Local units may have specific funding, regulatory or administrative requirements that prevent PHI from being stored on Smartsheet.
- Consult your supervisor or local unit IT leader.
Smartsheet users must save files containing PHI ONLY to UMN Smartsheet accounts and items (e.g. sheets, dashboards, and workspaces) that have been configured for storing PHI. Users are not permitted to store files containing PHI in any other type of Smartsheet item or account.
- UMN’s Smartsheet service has contractual security measures applied to it and UMN system administrators have permissions to perform troubleshooting and incident response (i.e., restoring files that were inadvertently deleted or assisting users in assigning collaboration permissions.) UMN has no control, visibility or contractual assurance of data stored in commercial Smartsheet accounts or Smartsheet accounts owned by other universities or institutions.
- Types of Smartsheet accounts not authorized for PHI:
  - Non-HST Smartsheet accounts
  - Personal (i.e., associated with user’s personal NON UMN address)
  - Items owned by individuals outside of UMN
Users shall not sync any Smartsheet folders that contain PHI to unsupported or unmanaged devices.
- Having additional copies of the data increases the risk of unintended and inappropriate access.
- The Smartsheet Desktop app is unsupported by HST and discouraged from use.
Users will keep the list of collaborators (the people to whom they give access to folders) up-to-date. Only add people who need access to do their university work. Remove people as collaborators immediately when they no longer need that access (for example, when they leave the university or change jobs).
- It is the user’s responsibility to make sure that only those people who need access to the data to do their jobs have that access. It is important to keep the list of collaborators up-to-date as their access needs change.

Users shall assign collaborators only the permissions they need to do their university work and no more.
Providing the minimum required (to do one’s job) access decreases the chance of an inadvertent compromise of PHI data. For example, if someone does not need to make changes to files in a folder, give them only view or preview access; do not give them edit access. Best practice dictates that there should only be two or three co-owners in an NPA; do not give everyone co-owner rights.

Users shall not download files containing PHI to their personal mobile device (phone, tablet, etc.)
- These devices travel and are more easily lost than a computer; they may also be less secure.

If there are any questions about how to store PHI on Smartsheet, please contact the IT Service Desk at 612-301-4357.

Policies

Smartsheet is a commercial online collaboration service that offers various tiers of free and paid accounts to the public. Health Sciences Technology (HST) and Smartsheet have partnered to provide Smartsheet to departments in the Health Care Component (HCC). There is currently no site-wide license for Smartsheet at the University. Departments outside the HCC may contact Smartsheet to purchase a plan specifically for themselves.

When uploading files, be aware of the University’s data categorization rules and the types of files that are permitted to be stored on Smartsheet at UMN.

The UMN Acceptable Use of Information Technology Resources policy governs the general usage of Smartsheet.

Protected Health Information (PHI)

Protected Health Information (PHI) is allowed to be stored on the HST Smartsheet plan. PHI is defined as “any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.”

PHI is governed by the Health Insurance Portability and Accountability Act of 1996 which protects the privacy of individually identifiable health information and sets national standards for the security of electronic protected health information. At UMN, PHI is in the category of private highly restricted data. More information about UMN’s three-level data categorization plan which serves to protect data necessary for the University’s operation can be found here. All users who work with PHI should be familiar with these documents.

UMN can store PHI on Smartsheet as a result of signing of a Business Associate Agreement with Smartsheet. When users store and collaborate with PHI using the HST Smartsheet plan, they should be aware of University rules governing the storage of this type of information on Smartsheet.

Although PHI is allowed to be stored on Smartsheet, other types of personally identifiable information (PII), such as credit card numbers, are not allowed to be stored on Smartsheet.

In addition to the policies mentioned on this page, it is each user’s responsibility to ensure that storing PHI on Smartsheet is in accordance with local rules and the requirements of grants, research partnerships or data sharing agreements.

Smartsheet Account Deprovisioning

Smartsheet accounts will be deprovisioned for one of the following reasons:

User is no longer employed by the University,
Account has been inactive for more than 180 days
Non-responsive to access renewal review process

Account deprovisioning based on active status of employees is performed daily as part of the HST I5 deprovisioning process. Inactivity reports will be generated monthly as part of the HST deprovisioning process.

Questions?

If there are any questions about the usage of the HST Smartsheet plan, please contact Technology Help at 612-301-4357 or help@umn.edu, or email hst+smartsheet+managers@umn.edu

Page updated

Report abuse