Airtable is HIPAA compliant for HIPAA Covered Entities and Business Associates only when they subscribe to an Enterprise Scale plan, enter into a Business Associate Agreement with Airtable, and use the platform within Airtable’s stated HIPAA limitations for storing and transmitting Protected Health Information. Airtable is a customizable business management platform with automation capabilities that connects data across separate databases and supports uses such as collaborative project management, inventory tracking, data collection, and analysis, with additional integration options that allow it to function as a customer relationship management platform.
Use of Airtable in healthcare can involve appointment and consultant availability tracking, workflow coordination for care teams, and building relational databases that track a patient’s healthcare journey and trigger actions when defined events occur. Those workflows can require disclosures of Protected Health Information to Airtable, which places Airtable within the scope of HIPAA obligations when Airtable creates, receives, maintains, transmits, or stores Protected Health Information on behalf of a regulated organization. Airtable announced support for HIPAA compliance for customers subscribing to an Enterprise Scale plan, which enables regulated customers to collect, analyze, and store Protected Health Information in Airtable databases and transmit Protected Health Information through HIPAA compliant integrations.
Airtable’s HIPAA support includes operational restrictions that narrow where Protected Health Information can reside and how automation can be used. Protected Health Information can only be stored in Records within Bases, which are described as comparable to cells and databases. Records that contain Protected Health Information may not be emailed through an automated function. External integrations connected to Airtable must also support HIPAA compliance when they create, receive, maintain, transmit, or store Protected Health Information, including commonly used enterprise platforms referenced for integration scenarios.
Feature availability also affects permitted uses. Airtable AI is not supported for HIPAA use, and Protected Health Information cannot be disclosed to Airtable’s Customer Support team through verbal or digital channels. Healthcare customers are not permitted to use Airtable as a patient portal or as the underlying technology for a patient portal. These limitations affect use cases that rely on automated distribution of record content, generative or assistive functions, support interactions that involve Protected Health Information, and patient-facing workflows that would collect or store Protected Health Information.
A Business Associate Agreement is required before a HIPAA Covered Entity or Business Associate discloses Protected Health Information to Airtable. Airtable provides a standard Business Associate Agreement for qualifying customers rather than executing a customer-provided agreement. The agreement can be requested from Airtable’s sales team for review prior to commitment, which allows a covered entity or business associate to evaluate allocation of responsibilities and obligations. Airtable’s Business Associate Agreement also allows a customer to apply coverage to only the organizational units that will collect, analyze, store, or transmit Protected Health Information, which can allow other organizational units to remain on lower-cost Team or Business subscriptions when those units do not handle Protected Health Information.
HIPAA compliant operation depends on administrative control and ongoing oversight by the customer. Airtable identifies best practices for maintaining compliant use, including regular review of user access through the admin panel, monitoring activity through downloadable reports, and enabling single sign-on login processes. Additional capabilities referenced for enhancing compliance controls include Enterprise Key Management and Data Loss Prevention APIs. Airtable also offers a free feature-limited version of the software for trial, and that version does not support HIPAA compliance for handling Protected Health Information.