Do’s and Don’ts for Using PHI in Slack

Simar Kohli
February 15, 2022

Introduction

Slack continues to grow in popularity and is serving as a de-facto operating system for many organizations today. The channel-based messaging system and the large library of integrations in the Slack app directory enable companies to automate many processes and increase their efficiency.

However, many companies using Slack are part of highly regulated industries such as healthcare. Companies that are considered covered entities or business associates are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA governs how healthcare organizations can create, store, and transmit protected health information (PHI).  In today's world, HIPAA is primarily focused on digital rather than physical security.

Using Slack for healthcare purposes introduces new challenges for HIPAA compliance. We’ve published a blog post showing how to set up your Slack workspace to enable it to be a HIPAA compliant messaging app. Note that following the steps in the guide only allow you to use Slack in a compliant manner. It does not guarantee that you are actually using your Slack in accordance with HHS regulations.

Here are some Do’s and Dont’s for using Slack for PHI. Following these guidelines are a great way to ensure your Slack usage supports HIPAA compliance instead of harming it.

How to use Slack for PHI in 2022

Do: Train all users in your Slack workspace on HIPAA’s Privacy and Security Rules

Setting up your Slack to be compliant does not mean anything if your employees are unaware of the guidelines around creating, storing, and transmitting PHI. Every employee at any covered entity or business associate with access to PHI should be trained on HIPAA’s privacy rule, even if said employees do not use Slack. Privacy training should cover the following: what types of data are considered PHI, rules for using or disclosing PHI, and obligations that covered entities and third parties have under HIPAA.

HIPAA’s security rule mandates that all employees receive some form of security training as an administrative control. This security training should cover best cybersecurity practices to secure PHI. One particular security practice is using data encryption wherever possible. It should also include information on how to report threats to the security of PHI. Haekka’s training library has HIPAA privacy and security awareness trainings that were written for modern teams in 2022. Haekka is also releasing a course for messaging in a compliant manner which can be assigned to employees to ensure they are using messaging services in a compliant manner. Training employees is an essential first step for any entity that handles PHI.

Don’t: Use Slack to communicate with patients, plan members, families, or employers

Although Slack can be used for internal communications containing PHI, Slack should NEVER be used to communicate with patients, plan members, or other people outside of your organization. Slack explicitly prohibits this, and there are several other reasons why you should avoid using Slack to talk to patients.

Firstly, Slack requires that anyone using its software to store, discuss, or transmit PHI must use Slack Enterprise Grid. Slack Enterprise Grid is Slack’s highest tier plan and includes support for the rigorous security features HHS recommends. Some of these features include detailed access logs, the ability to remotely terminate connections, and stronger file restrictions. Slack’s Enterprise Grid is not meant for ordinary users, and as such, it is extremely unlikely that your patients or their families are Slack enterprise grid customers. There are many messaging services that are HIPAA compliant out of the box and do not require additional steps to secure them as Slack does. It is much simpler and safer to use a platform designed for HIPAA compliance instead of modifying Slack to potentially communicate with patients (and it’s a violation of their ToS).

Do: Ensure all employees and partners are aware of how HIPAA impacts Slack

One crucial part of HIPAA compliance is having all members of a covered entity or business associate (and subcontractors) understand their obligations in protecting PHI. For business associates and subcontractors, the most common way this is done is by having both parties sign a written agreement known as a business associate agreement (BAA). A business associate agreement will outline both party's roles in securing PHI and define liabilities. You can include provisions for how to use Slack in a compliant manner within the HIPAA business associate agreement to ensure that your partners are informed on best Slack practices.

Slack can also be leveraged to educate employees on how to use and configure Slack in a compliant manner. Slack has published a guide for configuring enterprise grid to be HIPAA compliant. Some of the techniques they have recommended include using Slack for writing and acknowledging custom terms of service, having mandatory organization-wide channels, and keeping pinned posts in important channels.

Don’t: Store the Designated Record Set in Slack

Slack should NEVER be used to maintain peoples’ designated record sets. The designated record set includes medical records, billing records, payment & claim records, and any other records used by a covered entity to make health decisions for individuals. One lesser-known component of HIPAA is that patients have the right to request the records contained in their designated record set at any time. Covered entities have 30 days to comply with patient requests to receive their designated record set and face penalties for failing to do so.

Since people have the right to request a copy of their designated record set, Slack should not be used to store the set since that would require the organization to use Slack to communicate with patients (which is already prohibited). Slack also explicitly prohibits using it as a system of record for health information, so storing the designated record set on Slack is a violation of their terms of service. Consider using other cloud tools that are built to serve as a system of record. People’s electronic health records should be treated with the utmost care, and Slack has made it clear their platform is not the place to do so.

Do: Use Data Loss Prevention to Monitor the Flow of PHI

External Data Loss Prevention software monitors a workspace to ensure that data losses (also known as data leaks, breaches, or unauthorized disclosure) are not occurring within the workspace in question. Slack recommends setting up a third-party data loss protection software within your workspace to ensure HIPAA compliance. Data loss prevention tools can scan an entire workspace to find, classify, and secure protected information.

A good data loss prevention tool will scope your Slack for things that can constitute PHI such as social security numbers, medical record numbers, and email addresses. The software can be configured to block PHI from being sent over public or unsecured channels. It can also be used to identify and remove PHI from parts of Slack where it shouldn't be. Finally, admins can leverage data loss prevention tools to automatically educate employees if they are sharing protected health information without proper authorization.

Don’t: Use features outside of messages and files for PHI

Although Slack is primarily known for its text-based messaging, it has a variety of other features that enable different forms of communication. However, Slack prohibits using any features besides messaging or files for discussing, storing, or sending PHI. This means not using huddles or video chat to discuss PHI. This is necessary for audit purposes since it is much simpler to prove your Slack messages were sent for purposes approved by HIPAA.

You should also avoid using Slack features such as automatically forwarding or ingesting emails containing PHI. Email is not a secure medium for PHI, so ensuring your integrations do not lead to non-compliance is extremely important. This also applies to any other unsecured communication medium that Slack integrates with.

Conclusion:

Slack can be an extremely valuable tool for forward-thinking companies to optimize their operations. However, using Slack for healthcare purposes creates a new set of challenges around HIPAA compliance. Our blog post mentioned earlier is a good starting point for making Slack HIPAA compliant. You should supplement the knowledge you just received with the information in that post to ensure your Slack utilization aligns with HHS guidelines. For more information about Slack, HIPAA, and compliance feel free to contact us here at Haekka! Haekka was founded by two leaders with decades of experience helping support HIPAA compliance at organizations like yours. Check us out at haekka.com!