Is Slack HIPAA Compliant? BAA, Approved Plans, and Setup Guide

Slack HIPAA Compliance Overview

Slack can support HIPAA compliance when you use the Enterprise Grid plan, execute a Business Associate Agreement (BAA) with Slack, and configure the platform to protect Protected Health Information (PHI). Compliance is never automatic; your policies, controls, and user behavior determine whether PHI is handled appropriately.

At a minimum, you should rely on Encryption in Transit and Encryption at Rest, enforce strong identity and device security, and apply governance to messages and files. Treat Slack as a collaboration layer—not your system of record for the Designated Record Set—so PHI remains limited, intentional, and auditable.

• Approved plan: Enterprise Grid only; lower tiers are not HIPAA-eligible for PHI.
• BAA: Must be signed before any PHI is placed in Slack.
• Controls: Retention, legal hold, Audit Trail, DLP, and app governance are required.

Enterprise Grid Plan Features

The Enterprise Grid plan provides security and compliance capabilities needed to manage PHI at scale while maintaining collaboration speed. These features help you implement administrative, physical, and technical safeguards aligned to HIPAA requirements.

• Identity and access: SSO (SAML) and SCIM for lifecycle management; granular roles and permissions.
• Data security: Encryption in Transit and Encryption at Rest; optional enterprise key management to meet internal key-control requirements.
• Governance: Message and file retention, legal hold, and export options to meet discovery needs without turning Slack into a Designated Record Set.
• Monitoring: Audit Logs API and discovery capabilities to build a complete Audit Trail of access and administrative actions.
• Data Loss Prevention: Integrations with DLP/CASB tools to scan, block, quarantine, or redact PHI in real time.
• Device protection: Mobile management (EMM/MDM) support, session controls, and file download restrictions.
• Operational controls: Org-wide policies for workspaces, channels, app installation, and external collaboration.

Business Associate Agreement Requirements

The Business Associate Agreement establishes permitted uses and safeguards for PHI in Slack. Until a BAA is fully executed with Slack, do not allow PHI into the platform. After execution, you are responsible for configuring Slack and your processes according to the BAA’s terms.

• Scope: Identifies covered services and features; anything outside scope should not process PHI.
• Safeguards: Requires appropriate access controls, encryption, Data Loss Prevention, and an auditable trail of activity.
• Breach notification: Defines timelines and responsibilities for incident response and reporting.
• Subprocessors and third parties: Requires vetting and, where applicable, separate BAAs with vendors that handle PHI via Slack.
• Record management: Clarifies that Slack should not be your Designated Record Set; store medical records in your EHR and keep Slack collaborative.

Restrictions on PHI Usage

Apply the HIPAA “minimum necessary” standard. Keep PHI out of Slack wherever possible, and when required, constrain it to controlled channels with strict policies and monitoring. Avoid anything that turns Slack into a system of record.

• Do not place PHI in channel names, user profiles, custom fields, custom emojis, or file names.
• Prefer private channels with limited membership; restrict external sharing and public posting.
• Disable public file links, email forwarding into Slack, and risky automations that could exfiltrate PHI.
• Avoid uploading images or screenshots that contain PHI unless scanning and retention controls are enforced.
• Keep medical and billing records—the Designated Record Set—within your EHR/EMR; reference records rather than embedding them.

Monitoring and Data Loss Prevention

A layered monitoring program helps you detect and stop PHI exposure quickly while producing an Audit Trail. Use DLP to identify the HIPAA identifiers (e.g., names, MRNs, SSNs, addresses) and enforce policy in near real time.

• Content inspection: Scan messages, files, and previews for PHI; block or redact when violations occur.
• File governance: Quarantine sensitive files, restrict downloads, and prevent public sharing.
• Audit Trail: Centralize Audit Logs and discovery data to reconstruct who accessed PHI and when.
• Anomaly detection: Alert on unusual behavior (bulk downloads, mass invites, risky app installs).
• Periodic review: Test DLP rules, retention, and exports; validate that controls match the BAA and your risk assessment.

Third-Party Application Considerations

Every integration that can see or move PHI must be reviewed. If a third-party app processes PHI, that vendor becomes your business associate and must sign a BAA with you before use.

• Restrict app installations; use an allowlist with security and privacy review.
• Block unsanctioned file storage, ticketing, or notes apps from receiving PHI.
• Scrutinize bots, webhooks, and low-code workflows so secrets and logs never capture PHI.
• Treat external collaboration carefully; only work with outside organizations that are contractually permitted to access PHI.

Setup Guide for HIPAA Compliance

1) Choose the approved plan and execute the BAA

Purchase Enterprise Grid and complete a Business Associate Agreement with Slack. Until then, prohibit PHI in Slack. Document your intended PHI use cases and the specific features you will enable.

2) Define “minimum necessary” PHI use

Catalogue the data elements allowed in Slack and where they can appear. Prohibit PHI in metadata (names, profiles, channel topics) and limit PHI to designated private channels with explicit business need.

3) Lock down identity and devices

Enable SSO with MFA, automate provisioning via SCIM, and enforce session, device, and mobile controls (EMM/MDM). Require encrypted endpoints and screen-lock policies for any device accessing PHI.

4) Configure information governance

Set retention for messages and files, enable legal hold, and restrict deletion where required to preserve an Audit Trail. Disable public file links and risky exports to keep PHI contained.

5) Deploy DLP and monitoring

Integrate Data Loss Prevention to scan content for PHI identifiers, block violations, and quarantine files. Stream Audit Logs to your SIEM; alert on anomalous access and bulk downloads.

6) Calibrate encryption and keys

Rely on Encryption in Transit and Encryption at Rest; where policy requires, use enterprise key controls to meet internal key management standards.

7) Structure workspaces and channels

Centralize HIPAA-enabled workspaces, prefer private channels, and gate external collaboration. Use clear naming conventions and membership reviews for PHI-permitted spaces.

8) Govern third-party apps

Adopt an app allowlist, review data flows, and require BAAs for any vendor that could touch PHI. Disable or restrict generic email, cloud storage, and note-taking connectors for PHI channels.

9) Train users and define SOPs

Provide concise training on PHI do’s and don’ts, approved channels, and reporting procedures. Run tabletop exercises for misdirected messages or file exposures and document corrective actions.

10) Validate and document

Complete a HIPAA risk analysis, map controls to your BAA, test DLP rules, review retention, and sample the Audit Trail. Record evidence for audits and repeat on a defined cadence.

Conclusion

Slack can support HIPAA requirements when you use Enterprise Grid, sign a BAA, minimize where PHI appears, and enforce DLP, retention, and monitoring to maintain an auditable control environment. Keep your Designated Record Set in clinical systems, and treat Slack as a tightly governed collaboration layer.

FAQs.

What is required for Slack to be HIPAA compliant?

You need the Enterprise Grid plan, a signed Business Associate Agreement, and a security baseline that includes SSO with MFA, retention and legal hold, Data Loss Prevention, restricted app usage, and centralized Audit Trail monitoring. Only after these are in place should PHI be allowed in Slack.

Can Slack be used to communicate with patients under HIPAA?

It’s technically possible but rarely advisable. Slack is designed for workforce collaboration, not as a patient portal. If you choose to engage patients, you still need Enterprise Grid, a BAA with Slack, strict identity and device controls, clear consent, and tight limits on PHI. Most organizations prefer dedicated patient communication platforms.

Does Slack provide a Business Associate Agreement?

Yes. Slack will execute a Business Associate Agreement (BAA) with eligible Enterprise Grid customers. The BAA defines permitted services and responsibilities; do not transmit PHI in Slack until it is fully executed and your controls match the agreement.