Slack is not HIPAA compliant, and while Slack Enterprise Grid can be used for HIPAA-compliant communications after execution of a Business Associate Agreement and specific configuration steps, the permitted uses are limited and exclude several common healthcare communication scenarios.
Slack Enterprise Grid is a separate enterprise version of the platform that differs from standard Slack and was developed for large organizations. Slack Enterprise Grid was announced at the start of 2017 and was built on different code. Slack Enterprise Grid is intended for organizations with more than 500 employees, and availability is tied to organizational scale and identity management requirements.
Slack Enterprise Grid includes security features that support HIPAA compliance, including encryption at rest and in transit, customer message retention to create an audit trail, and data loss prevention functionality to help preserve that audit trail. The platform generates detailed access logs, allows administrators to remotely terminate connections and sign users out from connected devices, and allows team owners to delete customer data within 24 hours when users leave the organization. Slack Enterprise Grid includes team-wide two-factor authentication, maintains offsite backups, and aligns with NIST standards and SOC2 and SOC3.
Slack has indicated that Slack Enterprise Grid is the only version of the platform that supports HIPAA compliance. The HIPAA-compliant scope expanded in 2019. The platform initially supported HIPAA compliance for file uploads, and later updates extended HIPAA-compliant functionality to direct messages and channel communications when used in connection with Protected Health Information.
A Business Associate Agreement is required before Slack Enterprise Grid is used for activities involving Protected Health Information, and Slack is prepared to sign a Business Associate Agreement only for Slack Enterprise Grid. Slack Enterprise Grid use involving Protected Health Information is also subject to platform terms and conditions. The solution can be used internally by healthcare organizations. The platform cannot be used to communicate with patients, subscription members, or their families or employers. Slack also restricts Protected Health Information use in other Slack features outside messages and files.
Slack states that it does not maintain a designated record set and cannot serve as the system of record for health information. Slack also states that it does not have a Business Associate Agreement in place with third-party application providers. Healthcare organizations are responsible for determining whether a Business Associate Agreement is required with an application provider and obtaining one before enabling a third-party application.
Slack Enterprise Grid is not HIPAA compliant by default, and healthcare organizations are responsible for configuration that supports HIPAA-compliant communications. Slack identifies use of its Discovery APIs and use of an external data loss prevention provider to enforce message and file restrictions and exports as part of that configuration.