Is Slack HIPAA Compliant?

To answer the question Is Slack HIPAA Compliant, one has to look at its functions and, more importantly, the mechanisms it has in place to protect the integrity of Protected Health Information at rest and in transit. Also, one has to look at the content of the company´s Business Associate Agreement.

Slack – an acronym for “Searchable Log of All Conversation and Knowledge” – is a real-time messaging and file-sharing app that also has search engine capabilities. Many businesses have implemented Slack as an effective collaboration tool so that team members can communicate without the use of email and SMS messaging.

In addition to being used for intra-business communications, Slack has also developed into a public platform. Private channels allow members of a larger group to conduct private conversations, and these private channels often expand into the public domain. This would imply the answer to the question is Slack HIPAA compliant a resounding “No”!

The Introduction of Slack Enterprise Grid

In order to overcome data security concerns, Slack Enterprise Grid was released in 2017 – a revised version of the basic app that allows administrators to control permissions and configure integrations on a per-workspace basis. The new app also incorporates several features that would appear to resolve the issues preventing Slack being HIPAA compliant. The new features include:

  • Data encryption at rest and in transit.
  • Customer message retention (to maintain an audit trail).
  • Support for data loss prevention via off-site backups.

In addition, mechanisms exist to remotely terminate connections, create access logs, and support two-factor authentication. Slack Enterprise Grid is compliant to the NIST standards required by HIPAA, is SOC 2 and SOC 3 certified and has achieved ISO/IEC 27001 and 27018 for its information security systems and the protection of personally identifiable information.

Is Slack HIPAA Compliant? It´s Still Unclear

Despite advertising the HIPAA logo on its security page and claiming that “organizations in highly regulated industries can take advantage of Slack´s FINRA and HIPAA Offerings” in the blog post announcing the introduction of Slack Enterprise Grid, the Terms of Service for Healthcare Customers would imply something different. The Terms read:

“Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate” as defined in the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced (“HIPAA”), and that the Services are not HIPAA compliant.”

Although this leaves the door open for a Covered Entity to enter into a written agreement with Slack, there is no indication it would constitute a Business Associate Agreement as required by HIPAA. Furthermore, it has been reported that despite its enhanced controls, Slack Enterprise Grid can be used in a manner that is not compliant with HIPAA.

We recommend Covered Entities still wishing to use Slack as a HIPAA compliant tool seek professional legal advice about any written agreement offered. If the agreement is appropriate and the platform configured to prevent non-compliant use, policies and procedures will still need to be implemented – and employees trained – in order for the Covered Entity to use Slack in compliance with HIPAA.