TL;DR: Slack is not HIPAA compliant out of the box. However, Slack Enterprise Grid can be made HIPAA compliant by signing a Business Associate Agreement (BAA) with Slack.
We're often asked if Slack is HIPAA compliant — meaning is it a suitable place to store and transmit PHI. Because we're helping companies train their staff on both the HIPAA Privacy and Security rules, I felt it would be helpful to discuss the details of how best to use Slack in a HIPAA-compliant manner.
When considering the use of third-party tools that will handle PHI, due diligence is important. The best method for understanding whether or not you can trust a software product is to do the following:
Conduct a risk analysis: understand and identify the types of data you're sharing, as well as the risk involved both financially and perceptually if a breach were to happen.
Conduct a security review: typically in the form of a questionnaire, but can also be satisfied by having the third-party present a certification like SOC 2 or HITRUST. The goal here is to identify if they have the proper controls in place to securely store and safely transmit sensitive data like PHI.
Review their BAA: once you've determined the company can securely store and reliably transmit PHI using one of the methods above, the next step is to get an agreement in place. Not just any agreement, but a Business Associate Agreement or BAA. This is a specific document that outlines the roles and responsibilities between the two parties entering into the contract.
When HIPAA was initially written, it was explicit about the types of organizations that needed to comply. These organizations are defined as such:
You must have a BAA in place with any organization that you're sharing PHI with. This means cloud providers, third-party tools, consultants, etc. Slack is no different in this case. If you're sharing PHI within an Enterprise Grid workspace, you must have a BAA signed with Slack.
Okay, so now that we've determined that Slack can be used to store or transmit PHI when using Enterprise Grid, does that mean you can't use the standard version of Slack at all if you're required to comply with HIPAA? The short answer is no, you can use the standard version of Slack even within a regulated environment. The big caveat here, and you probably saw this coming, is that you're not putting any PHI into Slack in this case. This might be obvious, but remember that Slack is a central hub, so you'll want to ensure that neither you, your employees, or other apps are putting PHI into Slack.
That's it! Thanks for reading. If you have any questions about this article, or if you're interested in implementing HIPAA and Security training at your company, please reach out to us.