More and more businesses are joining Slack to improve their internal communications. But when it comes to health care organizations and their needs, the question becomes: is Slack HIPAA compliant? While Slack and messaging apps like it can make collaborating easier and more efficient, there are still many grey areas surrounding its use in healthcare and whether this platform is the right fit for maintaining data privacy and security requirements.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is a living culture that healthcare organizations must implement into their business in order to protect the confidentiality, integrity, and availability of PHI. Now the question is, does Slack abide by these regulations?

HIPAA Compliant Slack

Initially, Slack was not developed for HIPAA compliance. However, steps have been taken to create a specific platform designed for health care organizations, known as Slack Enterprise Grid.

Slack Enterprise Grid was launched separately from Slack in the beginning of 2017. It was constructed on a different code that was made specifically for companies with over 500 employees.

Slack Enterprise Grid addresses several security elements that support HIPAA compliance such as data encryption, customer message retention to create an audit trail, and support for data loss prevention to ensure that audit trail is maintained. The platform also creates detailed access logs and allows administrators to remotely terminate connections and sign off users from all connected devices.

While addressing these security features are important to Slack HIPAA compliance, there is a bit more to HIPAA security regulation and maintaining a HIPAA compliant messaging app than just those elements listed above.

The HIPAA Security Rule establishes national standards to protect individuals’ electronic protected health information (ePHI) that is created, used, or maintained by a covered entity or business associate. When implementing security standards, you must address the following safeguards:

  1. Physical Safeguards: these are the safeguards that your business puts in place to protect the physical security of your offices where PHI or ePHI may be stored or maintained. Some examples of physical safeguards include alarm systems, security systems, and locking areas where PHI or ePHI is stored.
  2. Technical Safeguards: these are the safeguards that you must put in place to protect the cyber-security of your business. Technical cyber-security safeguards must be implemented in order to protect the ePHI that is maintained by your business. Examples of technical safeguards include firewalls, encryption, and data back-up.
  3. Administrative Safeguards: these are safeguards that you must put in place in order to ensure that staff members are properly trained in order to execute the security measures you have in place. Administrative safeguards should include policies and procedures that document the security safeguards you have in place, as well as employee training on those policies and procedures to ensure that they are being properly executed.

On February 4, 2018, Slack verified on Twitter that Enterprise Grid is the only version that supports HIPAA compliance. In addition, Slack updated its website confirming that the new platform can be used to share patients’ protected health information securely.

Right now, Enterprise Grid only supports Slack HIPAA compliance for file uploads. Its other features such as direct messaging and channel communications are not compliant and should not be used in relation to PHI. Yet, by the end of 2019 these non-compliant features are expected to be corrected and make Slack HIPAA compliant.

To recap, this still does not make Slack HIPAA compliant entirely–there are limits to how Slack may be used to transmit PHI.

However, even before healthcare organizations implement Slack Enterprise Grid for the limited transmission of PHI, there must be a HIPAA business associate agreement in place. Making Slack HIPAA compliant is a process that should be taken seriously before any PHI is shared.

What is a Business Associate Agreement?

A business associate agreement (BAA) is mandatory as per the HIPAA Rules. A business associate is any organization that is hired to handle PHI on behalf of another organization. Under HIPAA regulation, Slack is considered a business associate. A BAA outlines what business associates can or cannot do with the PHI that they have access to, how they will protect that PHI, how they will prevent unlawful PHI disclosure, and the appropriate method for reporting PHI breaches should such a data breach occur.

A business associate agreement must be executed before any PHI may be shared. If health care providers choose to adopt the Slack Enterprise Grid to transmit PHI, that means that a BAA must be signed before that information can be transmitted. But now the question becomes: will Slack sign a BAA?

Will Slack Sign a Business Associate Agreement?

Slack notes that, “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate.” This statement suggests that Slack may be prepared to sign a BAA for Slack Enterprise Grid.

Any healthcare organization considering using Slack Enterprise Grid must contact Slack directly before any PHI is transmitted to request a copy of their business associate agreement — if one is offered.

Even if you execute a BAA, it is still possible that Slack Enterprise Grid can be used in a way that is not HIPAA compliant. Caution should always be used to ensure that PHI is not being impermissibly disclosed.

Are you HIPAA Compliant?

HIPAA compliance is your first priority as an organization working in the healthcare sector. In order to comply with HIPAA regulations and standards, you must implement an effective compliance program.

Compliancy Group can help you!

We give healthcare professionals the tools they need to effectively address the full extent of HIPAA regulation. We give your organization confidence in your compliance with our proprietary Achieve, Illustrate, Maintain™ methodology, all housed in our cloud-based app, the Guard. The Guard allows users to address every element of what the law requires to give you peace of mind.

Users are paired with an expert Compliance Coach to walk you through every step of the process and ensure you have a complete understanding of HIPAA.

Find out what your business should be doing for their HIPAA compliance today!