Is Slack HIPAA Compliant?

Slack is an effective tool for communication and collaboration, however, there is a question on using Slack in the healthcare industry and whether or not Slack is HIPAA compliant. Can healthcare organizations use Slack for sharing protected health information (PHI) without violating the HIPAA?

Since its introduction, Slack is not considered HIPAA compliant, even though steps have been undertaken to create a version of Slack that may be utilized by HIPAA covered entities. That version is known as Slack Enterprise Grid. Slack Enterprise Grid was introduced at the beginning of 2017. Slack Enterprise Grid isn’t exactly like Slack. It was built using different code, and was created particularly for the use of organizations having over 500 personnel.

The Chief Security Officer at Slack, Geoff Belknap, said that their team has spent more than a year investing their time and effort to meet the strict security requirements of clients that work in particularly regulated fields. Slack Enterprise Grid has the following security functions that support HIPAA compliance:

  • data encryption at rest and in transit
  • retention of customer message that serve as audit log
  • support for data loss prevention that make sure the audit log is available
  • generates detailed access logs
  • administrators can remotely stop connections and log out users from all connected gadgets
  • team owners can remove certain information in 24 hours which is handy when users are fired from the company
  • uses team-wide two-factor authentication
  • generates offsite backups
  • compliant with NIST standards, SOC2 and SOC3

Slack points out on its website that Slack Enterprise Grid customers in controlled industries could use their DLP and eDiscovery support to be HIPAA and FINRA compliant.

So, what does the foregoing discussion suggest? Slack is not HIPAA compliant. Slack Enterprise Grid could be HIPAA compliant. But, before healthcare organizations can use Slack Enterprise Grid for any activities connected with PHI, there must be a HIPAA business associate agreement (BAA).

Before a company can use any platform for sending or receiving protected health information (PHI), the platform must be willing to enter into a BAA. Slack details on its website that customers should not use, disclose, transmit or process any PHI using the platform. Unless a customer enters into a written agreement with Slack, Slack is not a “business associate.” This implies that Slack is ready to sign a BAA for clients wanting to use Slack Enterprise Grid.

The BAA is not widely offered nor available on the Slack website. Healthcare organizations thinking about using Slack Enterprise Grid need to get in touch with Slack and ask for a copy, and examine the BAA that is provided. With a BAA, HIPAA covered entities still has to carefully configure the Slack Enterprise Grid platform. An entity needs to do the following to ensure that Slack Enterprise Grid is used in a way that is always HIPAA compliant:

  • have an audit log
  • user login set up
  • policies and procedures that cover the use of the platform
  • train the staff in the use of the platform
  • activate the eDiscovery function