Is Slack HIPAA Compliant?

Slack is a useful tool that can make it much easier to communicate and collaborate, but is Slack HIPAA compliant? Would it be against HIPAA regulations for healthcare entities to send protected health information (PHI) via Slack?

Is Slack HIPAA Compliant?
The question of whether Slack is HIPAA compliant and whether it can be utilized by healthcare entities has led to a great deal of uncertainty.

The first iteration of Slack that was launched was not HIPAA compliant, but developers have been working to create a version especially for healthcare entities called Slack Enterprise Grid.

In 2017, Slack’s Chief Security Officer, Geoff Belknap, commented on the matter. “Our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries,” said Mr. Belknap.

The new Slack Enterprise Grid version was announced in early 2017. While it shares part of its name, Slack Enterprise Grid is different from Slack. Created especially for organizations with over 500 members of staff, it was also developed using different code.

A number of new features are included in Slack Enterprise Grid that support HIPAA compliance and that help to protect data. Some examples of these are the ability to encrypt information in transit and at rest, the ability to retain messages from clients for audit purposes, and features to back-up this audit trail and prevent data loss.

Slack Enterprise Grid also creates access logs and gives administrators the ability to log users out from connected devices and remotely terminate sessions. Should a user no longer be with the company, the relevant team leader can delete all associated customer data within 24 hours. Further security features that Slack has introduced are team-wide two-factor authentication and the creation of offsite back-ups. Thanks to the recent additions, Slack has produced a tool that is in line with NIST norms, as well as with SOC2 and SOC3.

Slack states on their website that “Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant”.

Coming back to our original question, is Slack HIPAA compliant, the answer is no. But Slack Enterprise Grid can be made HIPAA compliant. It is important to remember that a HIPAA business associate agreement (BAA) must be put in place before healthcare entities can use Slack Enterprise Grid to treat, store, or share PHI.

Will Slack Sign a Business Associate Agreement?
Before any platform is used to share PHI, the provider or developer must enter into a BAA with the healthcare organization. Slack clearly states on their website that “Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA.”

Slack goes on to mention that “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate”. This wording would lead us to believe that Slack would be open to entering into a BAA for Slack Enterprise Grid.

No general agreement is visible on their website. As such, healthcare entities would need to approach Slack directly to ask for a BAA, and ensure that it is in line with their needs should one be provided.

Once a BAA is signed and in place, the tool must then by correctly configured. Features need to be activated to record audit trails, user accounts must be created, relevant processes must be established, and employees should be trained on the tool. The eDiscovery feature should also be enabled.

Care must be taken to use the tool while respecting all HIPAA rules, as a BAA does not prevent Slack Enterprise Grid being used in a way that violates HIPAA regulations.