Overview
This guide describes what you need to do if you want to use your Shortcut Workspace in a HIPAA-compliant way.
BAA with Shortcut
First, if you are a covered entity or business associate under HIPAA, Shortcut represents a business associate and you need to execute a Business Associate Agreement (BAA) with Shortcut before putting any Protected Health Information (PHI) into our systems. The BAA contract specifies terms and conditions for how Shortcut handles PHI and establishes timelines and expectations for communication as required by HIPAA.
Contact support@shortcut.com to kick off this process.
You must be on Shortcut’s Enterprise plan to be eligible for a BAA.
Shortcut Configuration
Once you have executed a BAA with Shortcut, you are responsible for configuring your Shortcut Workspace and advising your team on how to use Shortcut in a HIPAA-compliant way. Shortcut does not provide any automatic, end-to-end compliance checking on your behalf.
In order to use your Shortcut Workspace in a HIPAA-compliant way, you need to ensure the following:
Notifications
- Turn off email notifications for your Workspace
- Turn off Slack notifications for your Workspace
- Instead, leverage the in-app Activity Feed and web browser notifications
Shortcut Docs
While you can use Shortcut Docs, you must not enter PHI into the following specific features:
- Shortcut Docs comments
- Shortcut Docs suggestions
Korey
Do not connect your Workspace to the Korey agent.
Integrations
Your BAA with Shortcut does not automatically extend to other third-party systems you integrate with your Shortcut Workspace—whether through the Shortcut web interface or by configuring access in those tools separately. Vet and review the terms and conditions for all such third-party services, and establish separate BAAs with those vendors as appropriate.