Is Slack HIPAA Compliant?
Slack is HIPAA compliant for covered entities and business associates that subscribe to an Enterprise Grid Plan, configure the platform to comply with Slackโs limitations on use, and enter into a Business Associate Agreement. Before using the platform, it is also necessary to provide Slack with a list of orgs and workspaces in which Protected Health Information will be used or disclosed.
Slack by Salesforce is a productivity, collaboration, and communications platform which include capabilities such as one-to-one and one-to-many messaging, file and media sharing, voice and video calls, and group chat. The platform has robust security features, an easy-to-use interface, and advanced search features. It also integrates with thousands of third party apps โ making Slack a popular choice for companies with remote workers and remote teams.
In the healthcare and health insurance industries, any productivity, collaboration, or communication software that creates, receives, stores, or transmits Protected Health Information (PHI) has to be HIPAA compliant. This means the software must include the capabilities to enable HIPAA covered entities and business associates to protect the privacy and security of PHI. Effectively, HIPAA compliant software supports HIPAA compliance.
Slack Does Not Support HIPAA Compliance by Default
Slack does not support HIPAA compliance by default. The โFreeโ, โProโ, and โBusiness+โ plans lack the capabilities required to protect the privacy and security of PHI; and, although it is still possible for covered entities and business associates to use Slack if they subscribe to one of these plans, the platform cannot be used to create, receive, store, or transmit PHI. To do so would expose PHI to unauthorized access by Slack, which would be a notifiable data breach.
The only Slack plan with the capabilities to support HIPAA compliance is the Enterprise Grid Plan โ and even then, the platform does not support HIPAA compliance by default. In order to make Slack HIPAA compliant, covered entities and business associates must implement the โSlack Requirements for HIPAA Entitiesโ, sign Slackโs Business Associate Agreement, and provide Slack with a list of orgs and workspaces in which PHI will be used or disclosed.
What are the Slack Requirements for HIPAA Entities?
The Slack Requirements for HIPAA entities are more a guide on the limitations of use than a configuration guide. The Requirements include:
- Slack may not be used to communicate with patients, plan members, or their families or employers.
- Patients, plan members, and theirย families or employers may not be added as users or guests to any Slack workspaces or channels.
- While users may discuss PHI in message content and upload files that contain PHI, users may not include PHI in some specific fields.
- There are restrictions on using email forwarding (between authorized users) and ingestion with Slack if transmitting PHI over email.
- There are controls needed if using shared channels to communicate between two separate companies or workspaces.
- Channels in which PHI may be shared through messages or documents should be set as private.
- You must inform your users about how to use and configure Slack so it can be used in compliant ways.
- There are special considerations for devices, adding users, patient home visits and other situations.
Elsewhere in Slackโs Help pages, Slack states users can only include PHI in messages and files โ not in any other service โ and that covered entities and business associates are required to implement Slackโs Discovery API to monitor workforce use of the platform. Slack also recommends setting up an external Data Loss Prevention provider to enforce message and file limitations and prevent data exports. Entities may also need third party SSO and backup tools.
Is it Worth Making Slack HIPAA Compliant?
For covered entities and business associates not already using the platform, it is hard to find a case for making Slack HIPAA compliant. The requirement to subscribe to an Enterprise Grid Plan will mean that covered entities and business associates will be paying for services they will not be able to use with PHI, and it is important to note that Slack does not have subcontractor Business Associate Agreements with any third party apps in the App Directory.
In terms of cost, operational disruption, and the administrative overhead, it may be worth investigating other platforms (i.e., Microsoft Teams, Google Workspace, etc.) rather than making Slack HIPAA compliant. This is particularly relevant for healthcare providers who are required to comply with patient requests for confidential communications (ยง164.522(b)) or respond to employersโ attempting to comply with their own regulatory requirements (ยง164.512(b)).