Slack HIPAA Compliance: Is Slack Compliant? BAA, Enterprise Grid, and Setup Checklist

Business Associate Agreement Execution

What a Business Associate Agreement Covers

A Business Associate Agreement (BAA) defines how Slack and your organization will safeguard Electronic Protected Health Information, sets permitted uses and disclosures, and allocates responsibilities for breach notification and security controls. You need a fully executed BAA before any ePHI is introduced into Slack.

When you need a BAA

If your workforce will create, receive, maintain, or transmit ePHI in Slack—even incidentally—you must have a BAA in place. If Slack is used only for general collaboration with a firm policy prohibiting ePHI, you can operate without ePHI and thus without a BAA, but you must enforce that policy consistently.

How to execute the BAA

• Confirm eligibility for a Slack plan that supports BAAs (typically Enterprise Grid) and identify your legal and security contacts.
• Request the BAA from Slack through your account team and review it alongside your counsel and security leadership.
• Complete due diligence (security questionnaire, architecture review) and negotiate any required addenda.
• Execute the BAA and document effective dates, covered services, and configuration obligations.

Common pitfalls to avoid

• Signing the BAA but delaying technical controls, leaving Slack unconfigured for ePHI.
• Assuming the BAA alone makes Slack compliant without Enterprise Grid HIPAA configuration.
• Failing to flow down BAA requirements to business units, admins, and app owners.

Enterprise Grid Plan Configuration

Why Enterprise Grid matters

Enterprise Grid gives you organization-level controls, unified security policies, and advanced governance features required for HIPAA-aligned operations. Without those capabilities, you cannot reliably manage ePHI at scale.

Core configuration areas

• Identity and access: Enforce SSO/SAML, mandatory MFA, SCIM lifecycle management, and least-privileged admin roles.
• Encryption and keys: Use encryption at rest/in transit and consider Enterprise Key Management for stronger control of content encryption keys.
• Retention and records: Set channel- and DM-specific retention aligned to your ePHI minimization policy; disable indefinite retention for general chat.
• Exports and eDiscovery: Enable Discovery API or approved archives for legal hold and audit; restrict export approvals to a defined governance team.
• Files and sharing: Limit external file sharing, public links, and downloads; require virus scanning and DLP inspection for uploaded files.
• App governance: Block by default, maintain an allowlist, and review OAuth scopes and data flows before approval.
• Slack Connect and guests: Gate external collaboration behind contracts and BAAs; apply tighter retention and monitoring for shared channels.
• Data residency and mobile: Choose appropriate data regions and enforce device controls, screen lock, and remote wipe on mobile clients.
• Auditability: Stream audit logs and EKM events to your SIEM; set alerting for anomalous admin or export activity.

Enterprise Grid HIPAA Configuration best practices

• Document a baseline “Enterprise Grid HIPAA Configuration” and review it quarterly.
• Apply policies org-wide, then layer stricter controls on workspaces handling ePHI.
• Test changes in a staging workspace before production rollout.

HIPAA Compliance Guidelines

Map Slack to the HIPAA Security Rule

• Administrative safeguards: Perform a risk analysis for Slack, define acceptable-use and ePHI handling policies, train users, and assign a Slack service owner.
• Physical safeguards: Rely on vendor data center controls and enforce endpoint protections (disk encryption, MDM) for user devices.
• Technical safeguards: Enforce unique IDs via SSO, MFA, role-based access, encryption, audit logging, integrity checks, and secure transmission.

ePHI minimization and policy

Adopt a strict minimization stance: only post ePHI that is necessary, never use Slack as a system of record, and route clinical content to your EHR or ticketing system. Provide channel naming conventions and quick-reference examples of allowed vs. prohibited content.

Governance lifecycle

• Risk management: Reassess Slack risks after major product changes or new integrations.
• Incident response: Define detection, triage, containment, and notification workflows for suspected ePHI exposure.
• Third-Party Vendor Compliance: Require security review and agreements for each integrated app that could touch ePHI.

Monitoring Slack Usage

Slack Monitoring Tools and telemetry

• Audit logs and Discovery API for message, file, and admin activity visibility.
• SIEM integration to correlate Slack events with identity, DLP, and endpoint alerts.
• EKM event streams to track content rekeying and access attempts.

Content protection and alerting

• DLP/CASB to detect and quarantine ePHI patterns in messages and files.
• Automated alerts for mass exports, policy changes, suspicious OAuth grants, and anomalous logins.
• Periodic reviews of public channels, Slack Connect links, and guest access.

Operational cadence

• Weekly: Review high-severity alerts and newly installed apps.
• Monthly: Validate retention, audit admin changes, and sample content scanning efficacy.
• Quarterly: Tabletop incident scenarios and access recertification.

Designated Record Set Management

Define and document DRS boundaries

A Designated Record Set (DRS) includes records used to make decisions about individuals. Adopt a formal “Designated Record Set Exclusion” for Slack: it is a collaboration tool, not your medical record system. Communicate this in policy, onboarding, and channel guidelines.

Operationalize the exclusion

• Provide workflows to move ePHI from Slack into the EHR, CRM, or ticketing system of record.
• Use short retention for general chat to reduce residual ePHI exposure.
• For patient requests or legal holds, rely on Discovery API and approved archives rather than ad hoc exports.

Access and amendments

Route patient access and amendment requests to systems that compose the DRS. If Slack content is implicated, export only the minimum necessary and attach it to the official record with appropriate audit trails.

Third-Party Application Risk Assessment

Why app reviews matter

Third-party apps can introduce data exfiltration and overbroad permissions. A rigorous assessment ensures Third-Party Vendor Compliance before any integration handles ePHI.

Assessment workflow

• Inventory: Maintain a catalog of requested, approved, and denied apps with owners and scopes.
• Data flows: Diagram what data the app reads, writes, and stores; confirm where it is processed and retained.
• Security posture: Review authentication, encryption, logging, vulnerability management, and incident response.
• Legal: Seek a BAA or equivalent terms if the vendor will handle ePHI; document data processing and subprocessor lists.
• Controls: Prefer internal or custom apps, narrowly scoped tokens, and event-driven integrations over wide-read bots.
• Monitoring: Enable app-level logging and set re-approval intervals; revoke unused tokens promptly.

High-risk categories and alternatives

• File mirrors, unrestricted cloud storage, and pastebin-like tools often pose unacceptable risk; consider DLP-integrated repositories instead.
• For automation, use vetted connectors or build minimal-scope internal apps that avoid persisting ePHI.

Secure Setup Checklist

• Execute a Business Associate Agreement before introducing any ePHI.
• Limit ePHI to Enterprise Grid workspaces with approved Enterprise Grid HIPAA Configuration.
• Enforce SSO/SAML, mandatory MFA, and SCIM deprovisioning.
• Enable encryption controls and consider Enterprise Key Management for key ownership.
• Apply retention policies that minimize ePHI and support legal obligations.
• Restrict exports and centralize Discovery API access and legal hold.
• Block apps by default; maintain an allowlist after formal risk assessment.
• Integrate DLP/CASB to scan messages and files for ePHI patterns.
• Stream audit logs and EKM events to your SIEM with actionable alerts.
• Constrain Slack Connect and guest access; require contracts and BAAs for external entities.
• Disable public file links and restrict file downloads where feasible.
• Define and communicate a Designated Record Set Exclusion for Slack.
• Provide workflows to move content from Slack into the EHR or system of record.
• Harden mobile and desktop endpoints via MDM, disk encryption, and screen lock.
• Train users on acceptable ePHI handling and channel naming conventions.
• Run quarterly access reviews, app recertifications, and incident tabletop exercises.

Summary

Slack can support HIPAA-aligned operations when you pair a signed BAA with Enterprise Grid, enforce rigorous security controls, minimize ePHI, exclude Slack from the DRS, and continuously monitor usage. Treat configuration, training, and app governance as ongoing disciplines rather than one-time tasks.

FAQs

What is required for Slack to be HIPAA compliant?

You need a signed BAA, Enterprise Grid configured with HIPAA-focused controls, strong identity and access management, retention and export governance, DLP-backed content protections, continuous monitoring, and policies that minimize ePHI and keep Slack outside the Designated Record Set.

Does Slack offer a Business Associate Agreement?

Yes. Slack offers a BAA for eligible enterprise deployments. Work with your account team to review and execute the agreement before enabling any workflows that might handle ePHI.

Can Slack be used to communicate with patients under HIPAA?

Only if you have a signed BAA, Enterprise Grid HIPAA Configuration, and controls that restrict external access, verify identity, and protect ePHI. Most organizations limit patient communications to approved portals or messaging systems that are part of the DRS and purpose-built for clinical use.

How should third-party applications be managed in Slack?

Block apps by default, approve on an allowlist after formal risk assessment, require vendor security review and a BAA if ePHI is involved, restrict OAuth scopes to the minimum necessary, monitor app activity, and recertify regularly to maintain Third-Party Vendor Compliance.