Slack, a proprietary business communication platform that provides long-lasting chat rooms — ranging from channels to direct messages — offers users the capability to comply with HIPAA regulations for messaging and file collaboration via the platform’s paid Enterprise Grid plan. “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that requires privacy and security protections for protected health information (PHI),” and Slack makes an effort to uphold this law by supplying business entities that are required to comply with HIPAA with the tools necessary to keep PHI living within files and messaged secured. Although data security features are provided that help to ensure HIPAA compliance, there are several actions required on the part of the user in order to achieve this.
Slack Enterprise Grid Plan
At the time of its launch, Slack lacked features to support HIPAA compliance. However, in 2017, the platform made such features available to users. But this security and peace of mind come at a monetary cost to healthcare users. Slack mandates that business entities abide by a set of requirements and limitations that the platform itself sets forth in exchange for HIPAA compliance support. To start, before the platform offers users with tools to support HIPAA compliance, entities are required to enroll in the Slack Enterprise Grid plan. Such tools include “data encryption at rest and in transit, customer message retention to create an audit trail, and data loss prevention features to ensure that [the] audit trail is maintained come what may.” And the Slack Enterprise Grid plan is the only plan out of the four different models offered by Slack that supplies support for HIPAA compliance. This plan is comprised of a completely different set of code than that of Slack’s other three offerings and was designed for the specific use of companies with 500 or more employees. Following this, business entities are obligated to a Business Associate Agreement or BAA. To put it simply, with this agreement in place, Slack is regarded as a business associate in collaboration with the entity seeking out HIPAA compliance. Once this is agreement is put into motion, business entities can begin to benefit from Slack’s HIPAA compliance support. However, this agreement is not applicable to any third-party entities or providers, requiring the business entities that necessitate HIPAA compliance to take it upon themselves to review any additional agreements before authorizing the use of external applications outside of Slack. And it is crucial to keep in mind that Slack should not ever be used as a communication tool between business entities and their patients or plan members, and certainly not with the family members or employers of those individuals either.
Outside of content located in messages and/or files, it is advised that PHI is not transmitted by business entities or their employees while utilizing additional features provided by Slack. Moreover, the supervision and monitoring of the ways in which those employed by such business entities make use of Slack are left entirely up to the entities themselves. It is highly recommended that business entities utilizing Slack — with the purpose of HIPAA compliance in mind — work with an external Data Loss Prevention provider in order to impose security restrictions on messaging and file exports. In addition to this, business entities must implement an external health information recording system, as this is not a service provided by the Slack Enterprise Grid Plan.
Compliance is Offered, Not Guaranteed
It has been established that Slack offers support to business entities in need of HIPAA compliance features. However, this support is absolutely not guaranteed by enrollment in the Slack Enterprise Grid plan, or even through the enactment of a Business Associate Agreement with Slack. Unfortunately, Slack leaves HIPAA compliance activation and the correct configuration of the platform’s solutions in the hands of its paid users. Although easily — and often — mistaken as such, the Slack Enterprise Grid plan is not inherently HIPAA compliant and requires its users to verify that Slack’s Discovery APIs (Application Programming Interfaces) are properly deployed.
Overall, healthcare users making use of Slack must be cognizant of the limitations that even the Slack Enterprise Grid plan poses. These entities must also be strong and concentrated in their efforts to take the necessary steps to achieve HIPAA compliance on Slack prior to relaying any PHI via this application. Given the sensitive nature of PHI, business entities can only truly ensure the security of this data with the help of an external Data Loss Prevention provider, like Polymer. The Virtual Compliance Officer feature provided by Polymer work to help keep teams secure, whether in the office or working remotely, by monitoring Slack channels, chat rooms, etc. in order to shield and/or mitigate sensitive data vulnerabilities.
-HIPAA Journal. “Is Slack HIPAA Compliant?” HIPAA Journal, 18 Apr. 2020, www.hipaajournal.com/slack-hipaa-compliant/.
Slack. “Slack and HIPAA.” Slack Help Center, slack.com/help/articles/360020685594-Slack-and-HIPAA.