Although Slack is usually seen as a communication tool, it has evolved into a complete workflow platform for highly efficient companies. Much of the power of Slack comes from using it to connect various SaaS applications and services to one another. There is a significant value derived from driving notifications and actions from SaaS apps into Slack, centralizing communications and common workflows to increase efficiency.
The way this works in Slack is that apps, sometimes called bots, are connected and installed in Slack. The most common way to connect these 3rd party apps is via the Slack App Directory.
Two of the most common 3rd party Slack apps are Google Drive and Zoom. The Google Drive app, once installed, sends notifications from Drive files and also allows users in Slack to modify file permissions within the Google workspace. The Zoom Slack app allows users to start and join Zoom meetings from Slack. These are two popular examples, but there are thousands of integrations companies leverage on a daily basis.
Slack apps are dependent on permissions to take actions in your Slack workspace. These permissions can include the ability to read user information, channel membership, and sometimes messages within channels. When it comes to using Slack in a HIPAA compliant way, Slack App Directory apps can potentially access PHI depending on their permissions. Because of this, it’s imperative that you put policies in place to comply with HIPAA when you use Slack and Slack App Directory apps.
HIPAA has a lot of specific things that need to be done to comply with its rules but the overarching requirement is to prevent unauthorized access to protected health information (PHI). If Slack is being used to exchange PHI, 3rd party Slack apps potentially can access that PHI.
According to HHS:
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.
This means if you want to give a 3rd party Slack app access to PHI, which would occur if a 3rd party Slack app has access to messages in a channel containing PHI, then you need to put a business associate agreement in place with those 3rd party Slack apps prior to granting them permission to access PHI.
If you want to use Slack for exchanging PHI, there are certain things you need to do with your Slack account. Slack is clear about these guidelines. And the last requirement from Slack highlights the point above about 3rd party Slack apps.
Slack does not have a business associate agreement with any third-party application providers, including those in the Slack App Directory, so you are responsible for determining whether an agreement is necessary with an application provider before enabling access.
Slack is clearly not liable or accountable for the data you share with 3rd party Slack apps under HIPAA. The onus is on you to ensure you have the proper protections and safeguards, codified in business associate agreements, with 3rd party Slack apps that could potentially access PHI.
3rd party Slack apps that have access to channels that contain PHI should be considered business associates under HIPAA. HIPAA requires that business associates provide safeguards to protect PHI. These protections are defined in business associate agreements. This is easier said than done if you don’t have clear policies and training in place for how employees should use Slack to comply with HIPAA.
If you use Slack to comply with HIPAA, the first step is to audit all of your 3rd party Slack apps. This audit should include a review of app permissions or authorizations. The easiest way to do this is to go to an app in Slack, click on the ‘about’ tab, and then click on ‘configuration’. This should take you to a web page that lists all the authorizations the app has in your Slack workspace
Below the authorizations, there is a listing of the channels to which the app has access. And at the bottom, you can remove the app from Slack or specific channels as needed.
If you are interested in learning more about security and HIPAA compliance for a particular app maker, click the ‘security and compliance’ tab at the top to see additional information.
You should contact the app maker to get a business associate agreement executed for any app with access to PHI.
Unfortunately, this is not a one-and-done process. Regardless of rules in place for who can install 3rd party Slack apps in your workspace, you should audit all of your 3rd party Slack apps on a regular basis, ideally quarterly.
Using Slack to comply with HIPAA is not hard. But, it does require due diligence of all of the 3rd party Slack apps that are installed and what data they can access. If you want to train employees on how to use Slack to comply with HIPAA, check out Haekka’s HIPAA for Slack training course delivered 100% in Slack.