Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation?
Is Slack HIPAA Compliant?
There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant.
Since its launch, Slack has not been HIPAA compliant, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid.
Earlier this year, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.”
Slack Enterprise Grid was announced at the start of 2017. Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees.
Slack Enterprise Grid incorporates several security features that support HIPAA compliance. Those features include data encryption at rest and in transit, customer message retention to create an audit trail, and support for data loss prevention to ensure that audit trail is maintained.
Slack Enterprise Grid creates detailed access logs, and administrators can remotely terminate connections and sign users out from all connected devices. Team owners can delete all customer data within 24 hours – useful for when users leave the company. Slack also includes team-wide two-factor authentication, creates offsite backups, and is compliant with NIST standards, as well as SOC2 and SOC3.
As Slack explains on its website, “Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant.”
So is Slack HIPAA compliant? No. Is Slack Enterprise Grid HIPAA compliant? It can be.
However, before Slack Enterprise Grid can be used by healthcare organizations for any activities involving PHI, there is the matter of the HIPAA business associate agreement (BAA).
Will Slack Sign a Business Associate Agreement?
A business associate agreement must be signed with a company prior to its platform being used to send or receive protected health information (PHI). And as Slack points out on its website, “Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA.”
Slack also states that, “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate,” suggesting Slack is prepared to sign a BAA for Slack Enterprise Grid.
However, the BAA is not universally offered and is not available on the Slack website. Healthcare organizations considering using Slack Enterprise Grid must contact Slack and request a copy, and scrutinize the BAA – if one is offered.
With a signed BAA, healthcare organizations must then carefully configure the platform. An audit trail must be maintained, user logins carefully set up, policies and procedures developed covering the use of the platform, and staff must be trained. The eDiscovery function must also be activated.
Even with a BAA in place, it will be possible for Slack Enterprise Grid to be used in a manner that is not HIPAA compliant.