Health Information Datasheet
Last Updated: October 10, 2024
What are HIPAA and CMIA?
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law that establishes standards to protect the privacy and security of certain health information known as “protected health information” and when in electronic form, “ePHI”. This includes requirements to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. In this datasheet, the term “ePHI” has the meaning set forth in HIPAA.
CMIA
The Confidentiality of Medical Information Act (CMIA) is a California state law enacted in 1981 that protects the privacy of medical information of residents of California under certain circumstances. CMIA has been amended several times, most recently by AB-254 and AB-352, to provide additional protections for medical information related to reproductive health and gender affirming care. In this datasheet, the term ”medical information” has the meaning set forth in CMIA.
Our Commitment to Supporting HIPAA and CMIA Compliance
Maintaining HIPAA and CMIA compliance, and implementing security features designed to protect the security of ePHI and medical information, is a joint effort between customers and Airtable. Customers acting as covered entities or business associates under HIPAA, and customers subject to CMIA, have an obligation under those laws, independent of Airtable, to implement the appropriate administrative, physical, and technical safeguards to ensure the security of ePHI and medical information. Customers subject to HIPAA and CMIA requirements can configure certain features within Airtable to support compliant workflows.
Airtable provides a solution that allows customers to build and manage bespoke workflows in a secure and compliant manner. Below, we have provided additional information to help customers ensure their use of Airtable supports their efforts to maintain HIPAA and/or CMIA compliance. The information contained in this datasheet is not intended to constitute legal advice. Customers should seek the advice of a qualified attorney to determine their obligations under HIPAA and the CMIA.
Health Information Exhibit
Customers subject to HIPAA and/or CMIA and intending to store ePHI or medical information in their Airtable environment, must be on the Enterprise Scale plan and sign Airtable’s Health Information Exhibit, which includes Airtable’s Business Associate Addendum (BAA) for customers subject to HIPAA and Airtable's CMIA Addendum for customers subject to CMIA. Airtable’s BAA is intended for a customer acting as a covered entity or business associate under HIPAA, and Airtable’s CMIA Addendum is intended for a customer subject to CMIA. It is the customer’s responsibility to determine whether one or both addenda to the Health Information Exhibit are applicable based on the data they intend to store in Airtable and their use case.
To begin the Health Information Exhibit execution process or request additional information, please contact a member of your account team. Executing a Health Information Exhibit to enable HIPAA and/or CMIA compliance for your organization’s use of Airtable is only available to customers on the Enterprise Scale plan. Customers are not permitted to store ePHI or medical information in their Airtable environment if they are not on the Enterprise Scale plan and have not executed a Health Information Exhibit. For more information and to adjust your organization’s plan, please reach out to your sales representative. Please note that if you decide to later downgrade your plan, you will no longer be covered by the executed Health Information Exhibit and you must remove all ePHI and/or medical information from your Airtable environment.
Airtable AI is not currently available for customers who require a Health Information Exhibit. If you wish to discuss potential options to use Airtable AI, please contact a member of your account team.
Requirements for HIPAA and/or CMIA Customers
For a customer’s use of Airtable to be covered by Airtable’s Health Information Exhibit or Airtable’s Business Associate Agreement*, the customer and customer’s permitted users must comply with the following requirements:
Automations | Airtable automations allow users to automate workflows, including outgoing email. When delivering automated emails, Airtable will send email over a transport layer security (TLS) encrypted channel whenever possible; however, if the receiving email server does not support TLS, automated emails may not be delivered.
Do not include ePHI or medical information directly in the body or subject line of the email. Airtable cannot guarantee that the email content will be encrypted if the receiving email server does not support TLS.
Be mindful of recipients, when configuring automated messages.
Records | ePHI and medical information must only be stored in records within Airtable bases or interfaces. When using Airtable, do not include ePHI or medical information in other locations, such as in base access requests; base descriptions; and base, table, interface, and workspace names.
Sending Records | Airtable allows users to send records via outgoing email (details can be found here). Do not use the send record functionality within Airtable if your record contains ePHI or medical information.
Customer Support | When contacting Airtable, such as when using Customer Support, do not include ePHI or medical information in screenshots or support tickets. Do not share ePHI or medical information with Airtable representatives on a call, email, or other digital communication such as Slack.
Integrations | Customers that choose to integrate their Airtable instance with other systems are responsible for ensuring such integrations are implemented in compliance with any applicable HIPAA requirements. When configuring integrations, be aware that Airtable cannot ensure and is not responsible for the security or privacy of data, including ePHI or medical information, when it leaves the boundaries of the Airtable environment.
Airtable AI | Do not store ePHI or medical information in workspaces where Airtable AI is enabled. For Enterprise Scale plan workspaces, Airtable AI is an opt-in feature that is only enabled if a customer turns it on.
Use Cases | Do not use Airtable as a patient portal at this time.
Disclosures and Subpoenas | Customers must ensure they have appropriate policies and processes to review and assess requests for disclosures of ePHI and medical information, including law enforcement requests, subpoenas, search warrants, and other records requests, to ensure all disclosures comply with HIPAA and the CMIA.
Confidentiality | Customers must appropriately configure all applicable Airtable features and functionality (including but not limited to features and functionality listed in the How Airtable Supports HIPAA and CMIA Compliance section below) to ensure the confidentiality, integrity, and security of ePHI or medical information stored in the Airtable environment and to protect against unauthorized uses or disclosures.
CMIA-Specific Requirements
For a customer’s use of Airtable to be covered by Airtable’s CMIA Addendum, the customer and customer’s permitted users must comply with the following requirements:
User Access Privileges | Customers must appropriately configure all applicable Airtable features and functionality (including but not limited to features and functionality listed in the How Airtable Supports HIPAA and CMIA Compliance section below) to limit user access privileges to bases that contain medical information related to gender affirming care, abortion and abortion-related services, and contraception only to those persons who are authorized to access such medical information in accordance with CMIA.
Geolocation-Based Access Controls | Customers must appropriately configure all applicable Airtable features and functionality (including but not limited to features and functionality listed in the How Airtable Supports HIPAA and CMIA Compliance section below) to ensure only authorized individuals and entities located in California have access to medical information stored in the customer’s Airtable environment related to gender affirming care, abortion and abortion-related services, and contraception, and to ensure such medical information is not disclosed, accessed, transferred, transmitted, or processed outside of California in violation of CMIA.**
Segregation of Medical Information | Customers must appropriately configure all applicable Airtable features and functionality (including but not limited to features and functionality listed in the How Airtable Supports HIPAA and CMIA Compliance section below) to segregate medical information related to gender affirming care, abortion and abortion-related services, and contraception from the rest of the patient’s record, if the customer chooses to store such medical information in Airtable. The customer must not provide access to such segregated medical information to individuals and entities located outside of California in violation of CMIA.**
Mental Health Digital Services | If a customer offers a mental health digital service (as defined by CMIA), and partners with provider(s) of health care (as defined under CMIA) to provide a mental health digital service, then the customer and providers can find reported data breaches here on the California Attorney General’s website.
How Airtable Supports HIPAA and CMIA Compliance
The following table demonstrates how Airtable supports our customers’ compliance with HIPAA and CMIA.
HIPAA or CMIA Requirement
Airtable Functionality
HIPAA
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. [§ 164.312(a)(1)]
CMIA
A business, as described in Section 56.06, that electronically stores or maintains medical information on the provision of sensitive services, including, but not limited to, on an electronic health record system or electronic medical record system, on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer, shall develop capabilities, policies, and procedures, on or before July 1, 2024, to enable all of the following:
Limit user access privileges to information systems that contain medical information related to gender affirming care, abortion and abortion-related services, and contraception only to those persons who are authorized to access specified medical information. [§ 56.101(c)(1)(A)]
Password and domain-restricted shares: Restrict your shared view and base links by password or email domain. More information can be found here.
Field and table editing permissions: Limit who can edit values in a specific field, and who can add or remove records from a table. More information can be found here.
Granular interface permissions: Control who can access data by sharing your interface without sharing the underlying base. More information can be found here.
User groups: Create and manage groups of users with which you can easily share bases, workspaces, and interfaces. More information can be found here.
Collaborators and Share Links: Restrict new collaborators from being added to workspaces and associated bases and restrict/prevent share links from being created. Configuration instructions can be found here.
Airtable product invite links and permissions: Generate workspace and/or base invite links that will grant access at the specified permission level to anyone that opens the link. Configuration instructions can be found here.
Data sync permissions: Restrict data sync permissions across bases and workspaces. Configuration instructions can be found here.
HIPAA
Assign a unique name and/or number for identifying and tracking user identity. [§ 164.312(a)(2)(i)]
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. [§ 164.312(a)(2)(iii)]
SAML-based single sign on (SSO): Give organization members access to Airtable through an identity provider (IdP) of your choice. We work with providers including Okta, Microsoft Azure, OneLogin, Google, and more.
SCIM user provisioning: Provision and deprovision users centrally via SCIM from Okta, Microsoft AD, and other providers.
SCIM-synced user groups: Add and remove users from user groups centrally via SCIM from Okta and Microsoft AD.
For more information on SSO and SCIM, please see here.
HIPAA
Implement a mechanism to encrypt and decrypt electronic protected health information. [§ 164.312(a)(2) (iv)]
Enterprise Key Management (EKM): Get additional control over the data you store in Airtable and visibility into how it’s accessed using your own encryption keys. Available as an add-on for Enterprise Scale customers. For additional information on EKM, please see here.
Data transmitted between customers and Airtable’s service is encrypted using industry standards (TLS 1.2 or higher).
Data at rest is encrypted using industry standard AES 256-bit encryption within Airtable’s systems.
HIPAA
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. [§ 164.312(b)]
CMIA
An electronic health record system or electronic medical record system shall do all of the following:
Protect and preserve the integrity of electronic medical information. [§ 56.101(b)(1)(A)]
Automatically record and preserve any change or deletion of any electronically stored medical information. The record of any change or deletion shall include the identity of the person who accessed and changed the medical information, the date and time the medical information was accessed, and the change that was made to the medical information. [§ 56.101(b)(1)(B)]
Enterprise Hub: Get central visibility and control over your organization’s users and data with Airtable’s full admin experience, standardized security policies, tiered admin roles, and more. For additional information on Enterprise Hub, please see here.
Enterprise audit logs: Airtable Enterprise audit logs allow admins to monitor activity within their organizations and include metadata like timestamp, action taken, IP address, user email, and workspace/base IDs. Audit logs are accessible through your reports' page in the admin panel or programmatically through Airtable's API. For additional information on audit logs, please see here.
Admin reports: See information about share links, workspaces, bases, users, user activity, and more.
Record level revision history: Enable record level revision history in order to track comments, who made edits to a record (users, automations triggered, syncs, and API calls), and when. More information can be found here.
Retention periods: Revision history, snapshots, trash, and inactive base retention periods can be customized by Enterprise Admins. More information can be found here.
HIPAA
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. [§ 164.312(c)(1)]
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. [§ 164.312(a)(2)(ii)]
Airtable maintains high availability through multiple availability zones, cross-region replication, and backups.
HIPAA
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. [§ 164.312(e)(1)]
Domain management: Verify and manage your organization’s domains through DNS in the admin panel.
Data loss prevention (DLP): Use our DLP APIs to integrate with third-party vendors and take action on sensitive data your users might add to Airtable. For additional information on DLP, please see here.
HIPAA
Implement policies and procedures to address the final disposition of electronic protected health information, and the hardware or electronic media on which it is stored. [§ 164.310(d)(2)(i)]
Custom retention policies: Create policies to manage retention timeframes and protect data by deleting inactive bases in your organization. For additional information on retention policies, please see here.
eDiscovery: Give admins the ability to programmatically export existing base content and comments. For additional information on eDiscovery, please see here.
Airtable maintains data backups and a revision history subject to the chosen plan. For additional information on Airtable plan tiers, please see here.
HIPAA
Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (i) Psychotherapy notes; and (ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. [§ 164.524(a)(1)]
CMIA
A patient’s right to access or receive a copy of the patient’s electronic medical records upon request shall be consistent with applicable state and federal laws governing patient access to, and the use and disclosures of, medical information. [§ 56.101(b)(2)]
Airtable has various in-product capabilities to allow customers to search and identify specific records as well as export them in a commonly used electronic format:
- Download tables in bases as CSV files. More information on how to download these files can be found here.
- In product capability to search, sort, group, and filter records in a base.
- Use native keyboard functions to find (CTRL + F) phrases, names, keywords in a base.
If a customer requires Airtable’s assistance to locate and/or export records in their Airtable environment, they can reach out to Airtable for more instructions or troubleshooting help.
Security, Privacy, and Compliance at Airtable
Protecting customer data is core to Airtable. We take privacy and security into consideration in all aspects of the platform and supporting infrastructure, and are committed to meeting global security and privacy requirements. For additional information, please visit our Trust page.
*Airtable’s Business Associate Agreement was previously available to Enterprise Scale customers for execution. Airtable now offers a Health Information Exhibit instead, which includes a Business Associate Addendum and a CMIA Addendum.
**Please note that Airtable does not provide functionality that enables or disables access based on a user’s IP address, therefore the customer must grant and revoke access to such medical information based on the customer’s knowledge of the location of individuals and/or entities.