The transition to remote work sparked by the Covid-19 pandemic led to more companies using work collaboration platforms like Slack than ever before. Many of these companies are health-tech startups, but medical practices and other healthcare providers have also adopted Slack as the primary platform for communication.
Slack is a powerful communication tool, but it can also act as an operating system. There are many ways healthcare organizations can utilize Slack and its large library of integrations to operate more efficiently. Slack can automate many workflows using Slack bots. It can also be used as an organization’s central information hub. However, organizations that use Slack to discuss protected health information (PHI) must create and follow certain practices to make Slack a HIPAA compliant messaging app.
The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities and their business associates follow certain procedures and implement rigorous security controls to protect PHI. The Security Rule mandates that healthcare companies and their partners protect PHI at rest and during transmission. Slack is not HIPPA compliant out of the box, so HIPAA entities can not transmit protected health information over Slack without risking a penalty for non-compliance with the HIPAA regulation for data security.
Although Slack is not HIPAA compliant by default, there are ways that a covered entity can set up Slack to comply with HIPAA regulations. Slack has published a starter guide to setting up your workspace in a compliant manner, but there are a few more steps that companies looking to use Slack for healthcare purposes should follow.
Slack enterprise grid is an advanced version of their regular app that is built for enterprises and other large organizations. Even if you are a startup or SMB, Slack’s guidelines mandate that any organization using Slack to create, store, or transmit PHI must sign up for the enterprise grid plan.
Slack enterprise grid ships with several security features that help secure PHI beyond what the basic plans offer. Some of these other Slack features include Enterprise Key Management, real-time directory sync, and additional integrations with security management software. Many of these security measures are required to abide by HIPAA regulations. This step is non-negotiable for using Slack in a compliant manner.
The next step in making your organization’s Slack instance HIPAA compliant is setting up your workspace to ensure that only the people that need to see PHI are able to access it. The privacy rule mandates that PHI is only disclosed or created for the purpose of treatment, payment, or healthcare operations. Limiting which users can see PHI in your Slack workspace is an important part of preventing unauthorized disclosures.
We’ve published a blog post on managing team permissions and how user roles determine what settings someone can change and what information they can view. You should also segment your organization into different channels based on their role and need to access PHI. Only private Slack channels should be used to discuss PHI since any member of an organization can join or view a public channel.
One of the privacy rule’s most important guidelines is that covered entities must sign a business associate agreement (BAA) with any third parties that handle PHI for them. A business associate agreement codifies the different liabilities the two parties in the agreement face and ensures both organizations are aware of their responsibilities for protecting PHI. Slack mandates that any organization using their software to transmit PHI has a signed business associate agreement with them.
One reason so many companies love Slack is the large library of third-party integrations, but using said integrations introduce another layer of security risks. Slack does not have a business associate agreement with any of the apps in the Slack App Directory, so it is up to your organization to sign individual BAA’s with any third-party application providers that have access to PHI. Here is a guide to understanding third-party permissions in your workspace. If you can not get the company that created the third-party integrations to sign a business associate agreement, you must remove the app from your workspace.
Both HIPAA’s privacy and security rules mandate employee training as part of your organizational controls to protect PHI. Training is explicitly listed as one of the administrative safeguards within the security rule. Employees that can access PHI must undergo HIPAA privacy and security awareness training at a minimum. All employees at any organization should undergo cybersecurity training, but it is legally mandated for workers with access to PHI.
One great way to make your training more efficient is to integrate it into Slack with other parts of your compliance program. Haekka’s Slack integration allows users to complete compliance training without context switching, leading to higher engagement and completion rates. Haekka was built to support the needs of remote-first companies that leverage modern tools like Slack. If you want to check out Haekka for yourself, schedule a demo with one of our founders today!
Securing Slack itself is the final step in getting it ready to be used in a compliant manner. A good starting point is to require all users in your workspace to use two factor authentication. This prevents unauthorized access to your workspace even if one of your user's credentials are compromised. Slack’s API can monitor how your employees are using Slack and creates detailed access logs for any events that affect the privacy and security of PHI. You should also have audit logs to verify your team is protecting sensitive data.
Slack also recommends using an external data loss prevention (DLP) integration. DLP apps will monitor your Slack workspace to make sure there is no unauthorized access or disclosure of PHI. They will automatically scan for messages or files that contain PHI and ensure they are being used properly. A DLP supports HIPAA compliance by verifying that your organization is continuously following the policies and procedures necessary to maintain compliance. You must sign a BAA with any third-party DLP providers in your Slack workspace.
By following the steps in this guide you should be ready to set up your Slack workspace to comply with HIPAA. It’s important to note that setting up Slack or other applications to follow HIPAA rules does not mean you achieve HIPAA compliance. If your employees share PHI outside of permitted uses it is a HIPAA violation regardless of how your Slack is set up. Actually using PHI within Slack will be covered in an upcoming post, so be sure to subscribe to our blog!
It can also be helpful to contact Slack directly with any questions about making your Slack HIPAA compliant. Slack Enterprise grid comes with a premium support team for your Slack account, so you should be able to get the assistance you need to get your workspace to be HIPAA compliant.
For more information about HIPAA compliance, employee HIPAA training, or security awareness feel free to contact us today! Haekka was founded by two leaders with decades of experience in healthcare and cybersecurity. Find out more about how Haekka can support HIPAA compliance at your organization by visiting haekka.com!