Compliance
HIPAA Compliant Spreadsheet: The Real List
Google Sheets is not HIPAA compliant. Excel barely qualifies without expensive licensing. Here is what actually works for healthcare teams that need to manage patient data in spreadsheets.
Healthcare Teams Live in Spreadsheets
If you work in healthcare administration, you already know this reality: spreadsheets are everywhere. Patient outreach lists, referral tracking sheets, appointment scheduling grids, insurance verification logs, quality metrics dashboards, staff scheduling matrices. Despite billions of dollars invested in electronic health record systems, a staggering amount of day-to-day healthcare operations still runs through spreadsheets.
The problem is that most of these spreadsheets contain protected health information. A patient outreach list has names, phone numbers, dates of birth, and diagnosis codes. A referral tracking sheet has patient identifiers and treatment details. A scheduling grid has names linked to appointment types that reveal medical conditions. Under HIPAA, all of this is PHI, and every tool that touches it must meet specific security and compliance requirements.
Most spreadsheet tools do not meet these requirements. Some cannot. Others technically can but only with expensive enterprise configurations that most healthcare teams do not have. The result is a compliance gap that affects nearly every healthcare organization in the country: sensitive patient data sitting in tools that were never built to protect it.
What HIPAA Actually Requires From a Spreadsheet Tool
Before evaluating individual tools, you need to understand what HIPAA demands. The Security Rule establishes three categories of safeguards: administrative, physical, and technical. For a spreadsheet tool, the relevant technical requirements include:
Business Associate Agreement (BAA). Any vendor that creates, receives, maintains, or transmits PHI on your behalf must sign a BAA. No BAA means no HIPAA compliance, period. This is a non-negotiable legal requirement.
Encryption at rest. PHI stored on the vendor's servers must be encrypted. Most modern tools meet this requirement, though the quality of implementation varies.
Encryption in transit. Data moving between your browser and the vendor's servers must be encrypted via TLS. Again, most modern tools meet this baseline.
Access controls. The tool must support role-based access, unique user identification, and automatic session timeouts. You need to be able to control who sees what.
Audit logging. Every access to PHI must be logged. You need to know who viewed a record, when, and what they did with it.
Minimum necessary principle. Users should only have access to the minimum amount of PHI necessary to perform their job function. This is where most spreadsheet tools fail completely — if you can see the spreadsheet, you can see every cell in it.
But here is the requirement that most compliance guides overlook: the vendor themselves should not have unnecessary access to your PHI. HIPAA's minimum necessary principle applies to business associates too. If your spreadsheet vendor can read every cell of your patient data in plaintext, they have access far beyond what is necessary to provide a spreadsheet tool. This is the gap that NoSheet closes.
Tool-by-Tool Assessment
Google Sheets
Google explicitly states that Google Sheets is not covered under Google Workspace's BAA for HIPAA purposes. Google Workspace can be configured for HIPAA compliance for certain core services (Gmail, Drive, Calendar), but Sheets has specific limitations. Google employees with administrative access can view the contents of your Sheets. There is no cell-level encryption, no PII auto-detection, and no mechanism to prevent the vendor from reading your data. For healthcare teams, the verdict is clear: do not put PHI in Google Sheets.
Microsoft Excel Online (365)
Microsoft 365 can be HIPAA compliant, but only with the right license and configuration. You need an E5 license (or E3 with add-ons), a signed BAA with Microsoft, and a properly configured tenant with data loss prevention policies, conditional access, and sensitivity labels. Most healthcare organizations using Excel Online do not have all of these in place. Even with full configuration, Microsoft can still technically access your data — the encryption keys are Microsoft-managed by default. Customer-managed keys (BYOK) are available but require Azure Key Vault setup and significant IT resources. And even with BYOK, data is still decrypted during processing.
Airtable
Airtable offers a BAA on its Enterprise plan, which starts at custom pricing that typically exceeds what small and mid-size healthcare practices can justify for a spreadsheet tool. Even with the Enterprise plan and BAA, your data sits on Airtable's servers in plaintext. Airtable employees with infrastructure access can read your records. There is no cell-level encryption and no way to use Airtable without the vendor having access to your PHI.
SmartSheet
SmartSheet offers a BAA on its Enterprise plan and markets itself as suitable for healthcare workflows. Like Airtable, it checks the basic HIPAA boxes — encryption at rest, encryption in transit, access controls, audit logging. But like every other tool on this list (except one), SmartSheet stores and processes your data in plaintext. The vendor can read your PHI. It is encrypted on disk, but SmartSheet holds the key.
NoSheet
NoSheet is built differently. It provides HIPAA compliance not just through policies and agreements but through architecture. Cell-level encryption means that PHI columns — names, dates of birth, SSNs, phone numbers, diagnosis codes — are encrypted with per-tenant keys before processing. The vendor cannot see your PHI because the decryption key never exists on the vendor's infrastructure. PII auto-detection identifies sensitive columns automatically. Cleaning operations (dedup, formatting, validation) run on encrypted data. The audit trail logs every operation. And DLP scanning catches PHI that might slip through in unexpected columns.
Comparison Table
| Requirement | Google Sheets | Excel 365 | Airtable | SmartSheet | NoSheet |
|---|---|---|---|---|---|
| BAA available | No (Sheets) | E5 only | Enterprise | Enterprise | Yes |
| Encryption at rest | Yes | Yes | Yes | Yes | Yes |
| Encryption in transit | Yes | Yes | Yes | Yes | Yes |
| Encrypted during processing | No | No | No | No | Yes |
| Cell-level encryption | No | No | No | No | Yes |
| Vendor cannot see PHI | No | No | No | No | Yes |
| PII auto-detection | No | DLP add-on | No | No | Yes |
| Audit trail | Version history | Yes (E5) | Enterprise | Enterprise | Yes |
| Built-in data cleaning | Manual formulas | Manual formulas | No | No | Yes |
A Real Healthcare Workflow
Here is how a healthcare team actually uses NoSheet to manage patient data securely. This is a workflow that would be a HIPAA violation in Google Sheets, and prohibitively complex in Excel 365.
Step 1: Import the patient list. The practice manager exports a patient list from the EHR system — 5,000 records with names, dates of birth, phone numbers, insurance IDs, and last visit dates. They import this CSV into NoSheet.
Step 2: Automatic PHI detection. NoSheet's PII detection engine scans every column and identifies PHI: patient names, dates of birth, phone numbers, and insurance IDs are flagged. These columns are automatically encrypted with the practice's tenant key. The last visit date column, which contains dates but no identifying context, can be left unencrypted for sorting and filtering.
Step 3: Clean and deduplicate. The team runs deduplication to remove patients who appear multiple times (common with merged EHR databases). They standardize phone numbers to a consistent format for the outreach campaign. They flag records with missing or invalid phone numbers. All of this happens on encrypted data. The actual patient names and phone numbers are never visible to NoSheet. For the complete patient data cleaning workflow, see our guide to cleaning patient data for outreach.
Step 4: Launch the campaign. The cleaned, deduplicated list is used to send appointment reminder messages. The practice has gone from a raw EHR export to a clean, campaign-ready list without PHI ever being exposed in plaintext to a third-party tool.
Step 5: Audit trail. If the practice is audited, they can show a complete log of every operation performed on the patient data — who imported it, when PHI was detected and encrypted, what cleaning operations were applied, and who exported the final list. This audit trail satisfies HIPAA's documentation requirements without any additional effort from the team.
The Real HIPAA Question
Most HIPAA compliance discussions focus on whether a vendor has signed a BAA and whether they encrypt data at rest. These are table stakes. The real question is: can the vendor read your patient data? If the answer is yes, you have a risk. It does not matter how many certifications they have or how many pages their BAA is. If a breach occurs and your patients' PHI was sitting in plaintext on a vendor's server, your organization is liable.
NoSheet answers that question differently than every other spreadsheet tool. We cannot read your patient data. Not because of a policy. Not because of employee training. Because the cryptographic architecture makes it impossible. That is the strongest possible compliance posture: a vendor that is technically unable to violate your patients' privacy, even under duress. To understand the encryption technology behind this, read our article on PHI detection in spreadsheets.
HIPAA Compliance Without the Headaches
NoSheet gives healthcare teams a spreadsheet that is HIPAA compliant by design. Cell-level encryption, automatic PHI detection, and a full audit trail — all without exposing patient data.
Try NoSheet for Healthcare