Is Slack HIPAA Compliant?

To date, ascertaining whether or not the Slack is compliant with HIPAA legislation has proved difficult as it has not been HIPAA compliant since it was first introduced. Now, however, steps have been implemented to introduce a version of the platform that can be used by healthcare groups, titled Slack Enterprise Grid.

Slack Enterprise Grid was unveiled announced at the beginning of 2017, a new product which is not the same offering as Slack. Slack Enterprise Grid has been developed on different code, and has been developed with companies of over 500 employees in mind.

Slack Enterprise Grid includes several security features that support HIPAA compliance. Those features include data encryption at rest and on the move, customer message retention to create an audit trail, and support for data loss prevention to ensure that audit trail is managed.

Slack Enterprise Grid produces detailed access logs, and administrators can remotely terminate connections and sign users out from all linked devices. Team owners can erase all customer data within 24 hours – useful for when users depart the company. Slack also includes team-wide two-factor authentication, sets up offsite backups, and is compliant with NIST standards, as well as SOC2 and SOC3.

As Slack outlines on its website, “Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant.” Slack Enterprise Grid is only available to organizations with  a minimum of 250 active Slack workspace members and the organization must use a SAML based Identity Provider for SSO management.

On February 4, 2018, Slack revealed on Twitter that the only version of the platform that is HIPAA compliant is Enterprise Grid. In recent times, Slack has also updated its website to confirm that it supports HIPAA compliance and can be used to share patients’ protected health information safley.

Currently, the platform only supports HIPAA compliance for file uploads. The direct messaging and channel communication features are not HIPAA compliant and cannot be used in connection with PHI. Those features are predicted to be made HIPAA compliant later in 2019.

So the short answer is that Slack is not HIPAA compliant while Slack Enterprise Grid is. This HIPAA compliance is only valid, however, if a HIPAA business associate agreement (BAA) is completed between the business partners.

Will Slack Complete a Business Associate Agreement?

A business associate agreement must be completed with a company before the platform is used to send or receive protected health information (PHI). And as Slack states on its website, “Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA.”

Slack also says that, “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate,” implying that Slack is willing to sign a BAA for Slack Enterprise Grid.

However, the BAA is not freely available and is not published on the Slack website. Healthcare groups thinking about using Slack Enterprise Grid must contact Slack and ask for a copy, and scrutinize the BAA – if one is given.

With a completed BAA, healthcare groups must then carefully set up the platform. An audit trail must be managed, user logins carefully set up, policies and procedures developed including the use of the platform, and staff must be shown how to use it. The eDiscovery function must also be switched on.

Even with a BAA completed, great care must be taken to sure that Slack Enterprise Grid is used in a manner that is always HIPAA compliant.