Slack is a useful communication and collaboration tool. But the HIPAA compliance of Slack before using in the healthcare industry must be clarified. . Can Slack be used by healthcare organizations for disclosing protected health information (PHI) without breaking the HIPAA?
From the time Slack was introduced, it is not regarded as HIPAA compliant, although there is a version of Slack – Slack Enterprise Grid – that could be used by HIPAA covered entities. Slack Enterprise Grid was launched at the start of 2017. It wasn’t exactly the same as Slack. It was developed using another code and was specifically to be used by organizations with more than 500 personnel.
Slack’s Chief Security Officer, Geoff Belknap, stated that more than one year was spent on meeting the stringent security requirements of customers from specifically regulated industries. Slack Enterprise Grid possesses these security features to support HIPAA compliance:
- data encryption in transit and at rest
- storage of customer messages for audit logs
- data loss prevention support making sure of the availability of audit logs
- creation of detailed access logs
- administrators could remotely end connections and sign out users from all linked devices
- team owners have the option to delete some information within 24 hours which is useful when users get terminated from the company
- employs team-wide two-factor authentication
- creates offsite backups
- NIST standards, SOC2 and SOC3 compliant
Slack mentioned on its official website that Slack Enterprise Grid clients from regulated industries can use DLP and eDiscovery support for HIPAA and FINRA compliance.
So, is Slack HIPAA compliant? Slack Enterprise Grid may be HIPAA compliant. However, prior to using Slack Enterprise Grid for processes involving protected health information (PHI), healthcare organizations must enter into a business associate agreement (BAA).
Before an entity can utilize any platform for transmitting or receiving PHI, the platform should be prepared to sign a BAA. Slack specified on its website that the platform must not be used to store, share, transmit or process PHI. Except if a customer signs a written agreement with Slack, Slack is not viewed as a “business associate.” This means that Slack is willing to enter into a BAA with clients wishing to utilize Slack Enterprise Grid.
The BAA is not openly offered nor accessible on the Slack web page. Healthcare organizations considering to use Slack Enterprise Grid should contact Slack and request for a copy, and check the BAA. Even with a BAA, HIPAA covered entities still need to properly set up the Slack Enterprise Grid platform. To be sure that Slack Enterprise Grid is always HIPAA compliant, an entity must do the following :
- set up an audit log
- configure user login
- develop policies and procedures for platform usage
- develop employee training for the use of the platform
- turn on the eDiscovery function
Slack and HIPAA: FAQ
What would happen if a CE used Slack without entering into a BAA?
Using Slack without a Business Associates Agreement is a violation of HIPAA. Such violations can lead to hefty fines if discovered by the Office for Civil Rights, the body that enforces HIPAA. Alternatively, they may issue a corrective action plan. It is the responsibility of the Covered Entity to ensure that they have entered into a BAA with Slack.
Is Slack HIPAA compliant by default?
No, even the Slack Enterprise Grid needs additional configurations to ensure that it is HIPAA compliant. A third-party data loss prevention (DLP) should be used to enforce file restrictions and exports, for example.
Will Slack enter into a BAA?
Slack will only enter into a BAA for its Slack Enterprise Grid product. This is the only product offered by Slack that meets HIPAA’s stringent requirements. However, even after entering into the BAA, Slack Enterprise Grid needs to be correctly configured to ensure HIPAA compliance.
Is Slack encrypted?
Slack Enterprise Grid does encrypt data at rest and in transit. Other security features include having customized message retention (so the CE can decide for how long messages are saved), Enterprise Key Management, and integration with Data Loss Prevention products.