This guide describes what you need to do if you want to use your Shortcut workspace in a HIPAA-compliant way.
BAA with Shortcut
First, if you are a covered entity or business associate for one under HIPAA, Shortcut represents a business associate and you need to execute a Business Associate Agreement (BAA) with Shortcut before putting any Protected Health Information (PHI) into our systems. The BAA contract specifies terms and conditions for how Shortcut handles PHI and establishes timelines and expectations for communication as required by HIPAA.
Contact support@shortcut.com to kick off this process. You must be on Shortcut's Business plan or higher to be eligible for a BAA.
Shortcut Configuration
Once you have executed a BAA with Shortcut, you are then responsible for configuring your Shortcut workspace and advising your team on how to use Shortcut in a HIPAA-compliant way. Shortcut does not provide any automatic, end-to-end compliance checking on your behalf, and in particular you need to ensure that, for any third-party services that you integrate with Shortcut, you have established separate BAAs as appropriate.
In order to use your Shortcut workspace in a HIPAA-compliant way, you need to ensure the following:
-
Notifications
- Turn off email notifications for your workspace.
- Turn off Slack notifications for your workspace.
- Instead, leverage the in-app Activity Feed and web browser notifications.
-
Shortcut Docs
- While you can use Shortcut Docs, you must not enter PHI into the following specific features of Shortcut Docs:
- Shortcut Docs comments
- Shortcut Docs suggestions
- While you can use Shortcut Docs, you must not enter PHI into the following specific features of Shortcut Docs:
- Korey: Do not connect your workspace to the Korey agent.
-
Third-party Integrations
- Vet any and all third-party integrations that you integrate with your Shortcut workspace (whether through the Shortcut web interface or by configuring access in those third-party tools separately) and establish separate BAAs with third-party vendors as appropriate.
Integrations
Your BAA with Shortcut does not automatically extend to other third-party systems that you integrate with your Shortcut workspace. Review the terms and conditions for all third-party services that you integrate with your Shortcut workspace and establish separate BAAs with those vendors as appropriate.
Updated