Is Slack HIPAA Compliant?

Slack is a useful communication and collaboration tool. But the HIPAA compliance of Slack before using in the healthcare industry must be clarified. . Can Slack be used by healthcare organizations for disclosing protected health information (PHI) without breaking the HIPAA?

From the time Slack was introduced, it is not regarded as HIPAA compliant, although there is a version of Slack – Slack Enterprise Grid – that could be used by HIPAA covered entities. Slack Enterprise Grid was launched at the start of 2017. It wasn’t exactly the same as Slack. It was developed using another code and was specifically to be used by organizations with more than 500 personnel.

Slack’s Chief Security Officer, Geoff Belknap, stated that more than one year was spent on meeting the stringent security requirements of customers from specifically regulated industries. Slack Enterprise Grid possesses these security features to support HIPAA compliance:

  • data encryption in transit and at rest
  • storage of customer messages for audit logs
  • data loss prevention support making sure of the availability of audit logs
  • creation of detailed access logs
  • administrators could remotely end connections and sign out users from all linked devices
  • team owners have the option to delete some information within 24 hours which is useful when users get terminated from the company
  • employs team-wide two-factor authentication
  • creates offsite backups
  • NIST standards, SOC2 and SOC3 compliant

Slack mentioned on its official website that Slack Enterprise Grid clients from regulated industries can use DLP and eDiscovery support for HIPAA and FINRA compliance.

So, is Slack HIPAA compliant? Slack Enterprise Grid may be HIPAA compliant. However, prior to using Slack Enterprise Grid for processes involving protected health information (PHI), healthcare organizations must enter into a business associate agreement (BAA).

Before an entity can utilize any platform for transmitting or receiving PHI, the platform should be prepared to sign a BAA. Slack specified on its website that the platform must not be used to store, share, transmit or process PHI. Except if a customer signs a written agreement with Slack, Slack is not viewed as a “business associate.” This means that Slack is willing to enter into a BAA with clients wishing to utilize Slack Enterprise Grid.

The BAA is not openly offered nor accessible on the Slack web page. Healthcare organizations considering to use Slack Enterprise Grid should contact Slack and request for a copy, and check the BAA. Even with a BAA, HIPAA covered entities still need to properly set up the Slack Enterprise Grid platform. To be sure that Slack Enterprise Grid is always HIPAA compliant, an entity must do the following :

  • set up an audit log
  • configure user login
  • develop policies and procedures for platform usage
  • develop employee training for the use of the platform
  • turn on the eDiscovery function