Is Airtable HIPAA Compliant? BAA, Plan Requirements, and Using Airtable for PHI

Whether Airtable can be used with Electronic Protected Health Information (ePHI) depends on three things: an executed Business Associate Agreement (BAA), eligibility on the right enterprise plan, and rigorous configuration that aligns with HIPAA’s administrative, physical, and technical safeguards. Without all three, you should not store or process PHI in Airtable.

Compliance is a shared responsibility. Airtable can provide security features and contractual commitments, but you still must implement policies, limit data to the minimum necessary, and continuously monitor for risks.

HIPAA Compliance Features

Security controls you should expect

• Identity and access: SAML Single Sign-On and enforced Two-Factor Authentication help ensure only authorized workforce members access PHI.
• Granular authorization: Role- and base-level permissions, restricted share links, and view-level filters support the minimum necessary standard.
• Data protection: Encryption in transit and at rest is table stakes; if your risk posture requires Enterprise Key Management, verify availability or define compensating controls.
• Data Loss Prevention: Admin controls to disable public shares, limit external collaborators, and restrict integrations reduce leakage risk.
• Logging and monitoring: Enterprise audit logs, change history, and export to your SIEM enable detection and investigation of security events.

Governance and resilience

• Lifecycle management: SCIM provisioning/deprovisioning, periodic access reviews, and break-glass procedures sustain least privilege over time.
• Backup and recovery: Document retention periods, recovery objectives, and how attachments are protected throughout their lifecycle.

Business Associate Agreement Requirements

Airtable usage with PHI requires a signed BAA (often titled a Business Associate Addendum) and, in some cases, a Health Information Exhibit that defines exactly which services, data types, and features are in scope. Do not upload ePHI until the BAA is fully executed.

Key terms to verify in the BAA

• Permitted uses and disclosures: How Airtable (and its subprocessors) handle PHI, including support interactions and diagnostics.
• Safeguards: Administrative, physical, and technical controls consistent with the HIPAA Security Rule, including encryption and access controls.
• Breach notification: Timely notice, cooperation, and forensics support if an incident involves PHI.
• Subcontractors: Flow-down BAA obligations to all downstream providers that may access PHI.
• Return or destruction: Processes for data export and secure deletion at contract end.
• Scope clarity: Whether attachments, metadata, logs, and AI features are covered or explicitly excluded in the Health Information Exhibit.

Enterprise Scale Plan Conditions

HIPAA-enabling controls are typically gated to an enterprise tier and turned on only after the BAA is in place. Treat lower plans as out of scope for PHI.

• Admin enforcement: Require SAML SSO, Two-Factor Authentication, and SCIM; disable password bypass and public sharing.
• Collaboration restrictions: Domain allowlists, invite approvals, and granular workspace governance to control who can view or export PHI.
• Security operations: Enterprise audit logs, admin APIs, and alerting for high-risk events; document retention windows and export options.
• Integration controls: Central approval for connectors, automations, and APIs so ePHI does not flow to non-BAA systems.
• Encryption posture: Confirm encryption standards; if Enterprise Key Management is required, evaluate feasibility or compensating measures.

Configuring Airtable for PHI Security

Identity and access

• Create a dedicated, labeled HIPAA workspace; restrict admins and separate duties (security vs. content owners).
• Enforce SAML Single Sign-On with conditional access; require Two-Factor Authentication for all users and service accounts.
• Provision via SCIM; prohibit personal accounts; rotate credentials and API tokens on a fixed schedule.

Data protection and DLP

• Disable public links and external sharing for bases with PHI; require named user access and watermark exports where feasible.
• Apply Data Loss Prevention rules: block downloads for noncompliant devices, restrict copy/export, and prevent external syncs that are not covered by a BAA.
• Minimize PHI fields; prefer de-identified or tokenized data; keep identifiers in a separate, more restricted base.

Monitoring, logging, and response

• Export audit logs to your SIEM; alert on unusual access, mass exports, or permission changes.
• Run quarterly access recertifications; document “minimum necessary” justifications.
• Test incident response and backup recovery; verify how attachments and linked files are restored and wiped.

Integrations and lifecycle

• Whitelist only BAA-covered integrations; review each automation step for potential PHI disclosure.
• Define retention and legal hold procedures; schedule secure archival or destruction at end-of-life.

Limitations and Restrictions on AI Features

Unless your BAA explicitly includes AI processing, treat Airtable AI and any model-driven features as out of scope for ePHI. Many AI systems rely on third-party models, prompt logging, and vendor-run infrastructure that may not be covered by your agreements.

• Default stance: Disable AI features in any workspace that stores PHI; block prompts containing identifiers with DLP controls.
• If enabling AI under a covered scope: Opt out of model training, restrict data retention, prefer on-tenant or in-scope models, and log prompts/outputs for auditing.
• Never paste PHI into AI prompts or assistants unless you have written confirmation that the feature and provider are within your BAA.

Customer Responsibilities for Compliance

HIPAA compliance is not achieved by software alone. You are responsible for organizational safeguards and day-to-day operations.

• Risk management: Conduct a HIPAA risk analysis, document mitigation plans, and reassess after major changes.
• Policies and training: Enforce acceptable use, data handling, and incident response; train staff on the minimum necessary standard.
• Access governance: Implement least privilege, separation of duties, periodic reviews, and rapid offboarding.
• Vendor management: Maintain BAAs with all integrated tools; vet subprocessors and data flows end-to-end.
• Device and network controls: MDM, disk encryption, screen locks, and secure networks for any device accessing PHI.
• Documentation and auditing: Keep configuration baselines, change logs, and evidence of monitoring and testing.

Alternative HIPAA-Compliant Solutions

If Airtable’s scope or plan constraints do not fit your risk profile, consider platforms that commonly support PHI workflows with BAAs (verify scope and features before use):

• Low-code/business platforms: Microsoft Power Apps with Dataverse, ServiceNow, Quickbase.
• CRM and care platforms: Salesforce (including Health Cloud).
• Content and collaboration with strong governance: Microsoft SharePoint/Lists, Box (with advanced governance).
• Healthcare-focused systems: Established EHR/EMR platforms such as Epic, Oracle Health (Cerner), or athenahealth for regulated clinical data.
• Forms and workflow: Formstack or Jotform offerings designed for HIPAA scenarios.

Match the solution to your data sensitivity, integration needs, and required controls like Data Loss Prevention and Enterprise Key Management.

FAQs.

Does Airtable require a BAA for HIPAA compliance?

Yes. You must have a fully executed Business Associate Agreement—often provided as a Business Associate Addendum—and, where applicable, a Health Information Exhibit defining what services and features are in scope. Without a BAA, do not use Airtable for PHI.

Which Airtable plans support HIPAA compliance features?

HIPAA-related controls are typically available only on an enterprise tier (often called Enterprise Scale) and are enabled after the BAA is executed. Treat lower-tier plans as out of scope for ePHI.

Can Airtable AI be used with ePHI data?

Only if your BAA explicitly covers AI features and you configure them to prevent data sharing or model training with PHI. The conservative advice is to disable AI for any base containing ePHI.

What are customer responsibilities when using Airtable for PHI?

You must implement HIPAA’s administrative, physical, and technical safeguards: conduct risk analyses, enforce SAML Single Sign-On and Two-Factor Authentication, apply Data Loss Prevention, govern integrations, train staff, monitor audit logs, and document policies and procedures. Compliance remains a shared responsibility even with a signed BAA.