Is Slack HIPAA compliant?

Slack has emerged over the past number of years as a useful and versatile tool which many use to communicate and collaborate but some organizations are questioning whether Slack is compliant with the Health Insurance Portability and Accountability Act, which is more commonly referred to as HIPAA.

Is Slack HIPAA compliant?

There is a great deal of confusion on the subject of Slack and whether it can be used in a healthcare setting in compliance with HIPAA Rules.

The first publicly available version and the following iterations were not suitable for use by HIPAA covered entities to treat, store, transfer, or share Protected Health Information (PHI). The team behind Slack later developed another version which could possibly be used in this sort of context by healthcare institutions and similar organizations. This was released as Slack Enterprise Grid.

Last year, Geoff Belknap, speaking in his capacity as Slack’s Chief Security Officer, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.”

These highly regulated industry clients were awaiting Slack Enterprise Grid since it was first announced in early 2017. A completely different system to Slack, Slack Enterprise Grid has been programmed with a separate coding language specifically to cater for organizations that employ 500 members of staff or more.

For HIPAA covered entities, Slack Enterprise Grid includes a wide range of features and settings that could allow for compliant use of the tool. Some of the necessary elements are audit and tracking functionality, encryption of information when it is both being transferred and in storage, and facilities to prevent data loss and retain correspondence with clients.

Another feature of the professional version was put in place to respond to the needs of entities using mobile and portable devices. With Slack Enterprise Grid, system administrators are given the ability to end sessions remotely, which means they could prevent the loss or unauthorized access of PHI should portable access points be lost or stolen. Data stored can be wiped, which could be used following maliciously motivated actions, or simply to ensure team members that leave the organization do not unwittingly bring protected data with them. Two-factor authentication is also supported, which would further hinder unauthorized parties from gaining access to PHI.

Having said all this, can we then go ahead and say that Slack is HIPAA compliant? No, we can’t. Could we say that Slack Enterprise Grid is HIPAA compliant? The answer to this is not as straightforward – using Slack Enterprise Grid is not a guarantee of HIPAA compliance or non-compliance, but it may be possible to set up Slack Enterprise Grid for HIPAA compliant use.

Is Slack Willing to Sign A Business Associate Agreement?

An essential step in ensuring HIPAA compliant use is to put an appropriate Business Associate Agreement (BAA) in place with the vendor. On Slack’s website they note that “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate,”. This would give the impression that Slack would be willing to enter into a BAA for Slack Enterprise Grid. However, no BAA is evident on their site so companies would have to contact Slack for further details on this point.