As digital transformation continues post-COVID more organizations, including those covered by HIPAA, will seek out SaaS solutions that make collaboration easier. Fortunately more and more applications like Slack are enabling HIPAA compliant use. In early 2019 as Slack filed for its IPO, the company also updated its security page to provide details on its qualifications as a HIPAA compliant messaging app. Slack provides a lot of documentation to help guide HIPAA covered entities seeking to use the platform and encourages them to contact their support team for additional details. Below is a FAQ we've put together to help direct your conversation with Slack.
1. Is Slack HIPAA compliant?
The standard versions of Slack (Free, Standard, Plus) are not HIPAA compliant. Slack states in their supplement to their Terms of Service specifically for healthcare customers (found here, as of this writing):
Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate” as defined in the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced (“HIPAA”), and that the Services are not HIPAA compliant. Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA (“PHI”) through the Services. Customer agrees that we cannot support and have no liability for PHI received from Customer, notwithstanding anything to the contrary herein.
Slack Enterprise Grid can be set up to be HIPAA compliant when the right controls are in place. This is because Slack Enterprise Grid has features that no other version of Slack offers including, for example, the ability to implement your own encryption keys for even greater control over data visibility within your workspaces. It’s important to note, though, that Slack Enterprise Grid isn’t HIPAA compliant out of the box. According to Slack’s help page on HIPAA, businesses must meet certain requirements and install specific controls, such as data loss prevention, before their implementation of Slack can be considered HIPAA compliant.
To achieve HIPAA compliance will require putting in place a Business Associate Agreement (BAA), which is a written contract between a Covered Entity and a Business Associate. HIPAA compliance requires it by law. Slack does not have a BAA available publicly on their website, so you should contact them directly for further information on this.
Slack Enterprise Grid pricing is not available on their website – you’ll need to contact them for pricing. The website states that the service is for managing “multiple interconnected Slack workspaces across your entire company,” meaning it is primarily designed for very large organizations.
2. What’s needed to make Slack HIPAA compliant?
As Slack states, to maintain compliance while using all versions of Slack, you’ll need to make sure not to “use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA (“PHI”) through the Services.”
Slack’s HIPAA-Compliant Collaboration with Slack document outlines the general process that’s required to make Slack HIPAA compliant. First, HIPAA regulated entities that wish to use Slack must contact the company. Slack will then send the Slack Requirements for HIPAA Entities guide which must be reviewed and agreed to. Finally, HIPAA entities using Slack must sign and execute a business associate agreement (BAA) with Slack. Slack also notes that it might be necessary to enter a BAA with some third-party application providers, like Nightfall or other services in the Slack App Directory. If you choose to work with other service providers, you should speak with them directly to confirm whether you’ll need a BAA. The Slack requirements guide, as well as Slack’s BAA, will provide the most comprehensive details on the exact configuration and controls you’ll need in place within Slack. However, the documentation Slack has made publicly available broadly illustrates how Slack is intended to be used within a healthcare environment.
3. How is Slack intended to be used in a HIPAA compliant environment?
In a blog post published in July of 2019, Slack describes three hypothetical use cases involving a HIPAA compliant Slack Enterprise Grid implementation. These indicate that Slack is only intended to be used between the staff of practitioners and providers. Indeed, both the help center and the Slack document we’ve referenced indicate that: “Slack may not be used to communicate with patients, plan members, or their families or employers.”
Another consideration is that, as of the date of this post, Slack says sharing PHI using features other than messaging and file uploads will put you at risk of violating HIPAA. Furthermore, any channels where PHI is shared must be set as private. Slack’s documentation further specifies other important limitations. For example, there are restrictions on email forwarding Slack messages containing PHI.
To better understand these requirements, you should consult Slack’s HIPAA help center page and the HIPAA-Compliant Collaboration with Slack document, both of which we’ve referenced several times in this post. Covered entities that are interested in Slack should have a clear idea of the use case they envision in light of the details these documents provide and then use them to determine if Slack fits within their existing compliance framework.
4. How does a service like Nightfall make Slack HIPAA compliant?
HIPAA Security Rule standards contain provisions that require regulated entities to audit the attempted access and use of PHI as well as train employees around the proper handling of PHI. Nightfall allows organizations to monitor communication channels like the ones in Slack for PHI. Controls can be put in place to prohibit the sharing of PHI over inappropriate channels, and admins can implement messaging that educates users about the appropriate contexts for sharing PHI. These features can be set up in a matter of minutes and turned into workflows for automated rule enforcement on your Slack channels.
If you’re interested in learning more about Nightfall DLP for Slack, watch the video below or read this case study, to learn how Capital Rx, a leader in pharmaceutical benefits management, leverages Nightfall to ensure HIPAA Compliance in SaaS apps like Slack. You can also take a look at our post on the 4 Best Practices for Healthcare teams using Slack. To see Nightfall in action and start a free trial, schedule a demo below.
Capital Rx CTO & Co-founder Ryan Kelly uses Nightfall DLP to mitigate PHI exposure in Slack before it can escalate in severity