Share this article on:
Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation?
Is Slack HIPAA Compliant?
There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant.
For a long time since the launch, Slack was not a HIPAA compliant communication solution, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid.
In 2017, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.”
Slack Enterprise Grid was announced at the start of 2017. It should be noted that Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees.
Slack Enterprise Grid incorporates several security features that support HIPAA compliance. Those features include data encryption at rest and in transit, customer message retention to create an audit trail, and data loss prevention features to ensure that audit trail is maintained come what may.
Slack Enterprise Grid creates detailed access logs, and administrators can remotely terminate connections and sign users out from all connected devices. Team owners can delete all customer data within 24 hours – useful for when users leave the company. Slack also includes team-wide two-factor authentication, creates offsite backups, and is compliant with NIST standards, as well as SOC2 and SOC3.
As Slack explains on its website, “Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant.” Slack Enterprise Grid is only available to organizations with 250 or more active Slack workspace members and organization must use a SAML based Identity Provider for SSO management.
On February 4, 2019, Slack confirmed on Twitter that the only version of the platform that supports HIPAA compliance is Enterprise Grid. Slack has also recently updated its website to confirm that it supports HIPAA compliance and can be used to share patients’ protected health information securely.
Initially, the platform only supported HIPAA compliance for file uploads but the HIPAA-compliant features were updated in 2019 to include direct messaging and channel communications, which can now be used in connection with PHI.
Before Slack Enterprise Grid can be used by healthcare organizations for any activities involving PHI, there is the matter of the HIPAA business associate agreement (BAA). A business associate agreement must be signed with a company prior to its platform being used to send or receive protected health information (PHI). Slack is only prepared to sign a BAA for Slack Enterprise Grid.
There are also terms and conditions associated with the use of Slack Enterprise Grid as far as PHI is concerned. For instance, the solution can be used internally by healthcare organizations. The platform cannot be used for communicating with patients, subscription members, or their families or employers. Slack also states that “excluding messages and files, members of your organisation may not include PHI when using other Slack features.”
Slack also explains that a designated record set is not maintained so the platform cannot be the system of record for health information, and there is no BAA in place between Slack and any third party application provider. It is the responsibility of users to determine whether a BAA is necessary with an application provider , and the BAA should be obtained before any third-party application is enabled.
Slack also explains that it is the responsibility of healthcare users to ensure the solution is configured correctly and is made HIPAA compliant. Slack only supports HIPAA-compliant communications. The platform is not HIPAA-compliant by default. For instance, customers must ensure Slack’s Discovery APIs are used and an external data loss prevention (DLP) provider should be used to enforce message and file restrictions and exports.
In summary, Slack is not HIPAA compliant, but Slack Enterprise Grid can be made HIPAA compliant. A BAA can be obtained for Slack Enterprise Grid, but there are limitations and steps must be taken to make Slack Enterprise Grid HIPAA compliant before it can be used in connection with any PHI.