Is Slack HIPAA Compliant?

Slack is an industry-leading communications platform used by countless organizations including healthcare institutions. But is it HIPAA Compliant? The short answer is no. The long answer is it can be. Read on to find out how.

What is Slack? 

Slack is an industry-leading business communication platform that contains various features to improve team communication in a similar and more user-friendly method than email or texting. The channels are able to be created in both public or private manner depending on who from the workplace should be involved in certain projects or topic discussions.  Some other notable Slack features are the emoji keyboard for message reactions, direct messaging, and the ability to search all content, files, or conversations to refer back to old information when necessary. 

Since its launch in 2014, Slack has garnered over 10 million daily users of the software. One of the draws to this software is the integration capabilities with popular third-party services like Good Drive, Zendesk, Dropbox, Zapier, Trello, and others. Although it is clearly a widely popular software for use in organizations of all kinds, there is often also confusion about whether or not this software is HIPAA compliant. Slack has taken steps to answer this question both logistically and through the provided information on their website. 

Is Slack Typically HIPAA Compliant? 

Unfortunately, no Slack does not guarantee HIPAA compliance with standard usage of the software. Luckily the upgraded Slack plan, Enterprise Grid includes all the security capabilities in order to utilize slack while remaining HIPAA compliant. 

Slack is a great resource for simplifying communication between coworkers and making project collaboration easier for teams. However, healthcare organizations must hold the software that they work with to a higher degree of security than companies that operate in other industries. That is why those companies who must comply with HIPAA, need to take a few extra steps in order to be able to use Slack to increase productivity and communication while still maintaining the complete security of protected health information (PHI). 

How to Make Slack HIPAA Compliant 

Just as we mentioned above, the traditional Slack version is not able to be used in a way that retains a HIPAA compliance level of security. However, Slack has taken steps to create a special platform, Enterprise Grid, which was designed to be used by healthcare organizations that need HIPAA requirements to be met. 

Enterprise Grid, which was launched in early 2017, was created using a different code and is specifically intended for larger organizations that require a higher degree of security. When configured according to the instructions provided by Slack, Enterprise Grid can be to share PHI between direct message, team channels, and in file uploads. Back in 2017, Slack’s Chief Security Officer, Geogg Belknap said, “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.”

The process of implementing the Enterprise Grid as your communication platform includes reviewing and carrying out each step of the HIPAA Entities guide that will be sent to you. The next step is signing a Business Associate Agreement (BAA) with Slack. Finally, your organization will be asked to provide Slack with “a list of all Slack organizations or workspaces with which you plan to use PHI.” Those are the main steps that need to be taken in order to prepare to use Slack’s Enterprise Grid as a solution for HIPAA-compliant yet simple, convenient communication. 

Enterprise Grid Details

The Enterprise Grid was specifically designed to incorporate several additional security features from the traditional Slack version, so that it is fully equipped to support HIPAA compliance. The security details include customer message retention to keep track of content, data encryption in storage and when sent, and DLP (data loss prevention) features that can guarantee that an audit log is maintained. Here are a few more details on the details of this upgraded HIPAA-compliant software solution. 

Audit Logs

Slack partners are able to download activity logs for messages sent within your various Slack workspaces. Plus, these audit logs can capture file downloads or uploads, and keep track of any admin setting changes. 

Data Loss Prevention (DLP)

Enterprise Grid is API-based and contains pre-built connectors that integrate with leading software solution partners. 

Partners are them able to use the following functions

  • Monitoring messages and files sent in public, private, or direct message channels
  • Integrating data loss prevention solutions which have complete access to all content seen within your organization 
  • DLP software can also separate and remove content that is not compliant in an almost immediate manner

Signing a Business Associate Agreement with Slack 

When healthcare organizations utilize Slack to carryout any company activities or functions, that positions Slack as a Business Associate under HIPAA’s description. As the requirements of HIPAA state, all covered entities must sign 

It is also important to keep in mind that even with the Enterprise Grid plan and a signed Business Associate Agreement, Slack cannot be used to communicate with patients, their family members, or employers. If you choose to work with any other application providers found through the Slack App Directory, that you maintain complete responsibility for deciding if you need to sign a Business Associate Agreement with that provider at any point before enabling their integration with Slack. 

Get started on the road to Compliance

Accountable can help you achieve HIPAA compliance for your company.

Schedule a Call

More Articles