Summary

  • Adopting Slack creates new challenges for healthcare companies. You’ll need to use the Enterprise Grid Plan and configure it very carefully. 
  • Make sure you only use Slack for internal communications. It can never be used to speak with patients. 
  • All employees with access to PHI in Slack must be trained on HIPAA’s privacy rule. 
  • Your employees must not use Slack to store people’s designated record sets. 
  • That’s why Slack recommends you deploy a third-party DLP solution like Polymer when you use the Enterprise Grid Plan as a healthcare organization. 

So, you’re a healthcare organization that’s started using Slack? Chances are, you want to help your employees communicate and collaborate more effortlessly, and you’ve heard on the grapevine that Slack is the collaboration tool to use.

We’ve heard the same. Slack adoption is soaring. The company generated $902 million in revenue between March 2020 and April 2021—a 43% increase year-on-year. 

But, while some organizations can adopt Slack without a second thought, healthcare companies like yours need to be more cautious. After all, you handle personal health information (PHI) and are, therefore, subject to the Health Insurance Portability and Accountability Act (HIPAA). 

How to use Slack compliantly as a healthcare organization

If you’re thinking about adopting Slack in your healthcare organization, or have already done so, here are some do’s and don’ts to bear in mind so that you maintain HIPAA compliance. 

Don’t: Think Slack is compliant by default 

Adopting Slack creates new challenges for healthcare companies. While you can make the app HIPAA compliant with some fine tuning and upgrades, it does not inherently comply with HIPAA unless you follow a few steps. 

Firstly, you’ll need to opt for the Enterprise Grid Plan. This is the only plan Slack offers that supports HIPAA compliance. Once you’ve done this, you’ll also need to enter a Business Associate Agreement (BAA) with Slack. Essentially, your organization agrees that Slack is a business associate, collaborating with you to achieve HIPAA compliance in the application. 

While this all sounds straightforward, healthcare organizations must be cognizant that achieving HIPAA compliance in Slack is still challenging, even with the Enterprise Grid Plan. 

This is because Slack leaves it up to you and your IT team to securely configure the application. Even with the Enterprise Grid Plan, Slack is not inherently HIPAA compliant. Your administrators will need to verify that Slack’s Discovery APIs (Application Programming Interfaces) are properly deployed.

Do: Educate Slack users on HIPAA policies 

Even with APIs correctly deployed, you’ll still need to make sure that your employees are following the rules regarding how they handle PHI. All employees with access to PHI must be trained on HIPAA’s privacy rule. Moreover, all employees must receive cybersecurity and awareness training as outlined in HIPAA’s security rule. 

How you deliver training is up to you, but some mechanisms are definitely more effective than others. Rather than opting for one-way security talks, why not consider a more real-time solution? Polymer data loss prevention (DLP) features in-app nudges, which alert users to behaviors that could compromise the security of PHI. 

Research indicates that this persuasive form of user training is far more effective than traditional classroom exercises. 

Don’t: Use Slack for external communications 

Slack can be used for internal collaboration, but it is categorically not allowed for communicating with patients or external parties. Slack itself states that users must not use the platform in this way. 

The good news is that, given the restrictions of Slack Enterprise Grid, it’s unlikely that your patients or customers will use the plan. 

If you do want to communicate with patients using a chat platform, opt for one that is specifically designed for healthcare organizations and HIPAA compliance. This is the safest way forward. 

Do: Ensure all employees understand their responsibilities to protect PHI 

It’s common for healthcare organizations to make use of contractors and subcontractors and, yep, Slack is how they communicate. To ensure HIPAA compliance in these circumstances, you should draw up another BAA, where you provide expectations about how each party must handle PHI and their liabilities. 

We recommend including clauses that explain how the business associate is expected to interact with Slack in regards to HIPAA compliance.

Don’t: Use Slack as a system of record for PHI 

Your employees must not use Slack to store people’s designated record sets. By designated record sets, we mean data relating to medical records, billing records, payment and claims records, health plan enrollment records, case management records, and so on. 

There’s a solid reason for this. You see, under HIPAA, patients can request access to their designated records at any point, and you will have 30 days to deliver this data, or risk facing a penalty for failing to comply. 

As we’ve already covered, Slack can’t be used to communicate with patients, so storing designated record sets on the platforms creates a host of unnecessary hurdles to fulfilling access requests. 

Moreover, Slack itself notes that its platform should not be used for storing PHI or other health information. Doing so is in violation of the company’s policy. 

Do: Use third-party data loss prevention (DLP) to bolster compliance 

Towards the beginning of this article, we mentioned that configuring Slack for HIPAA compliance can be pretty tricky. That’s why Slack recommends you deploy a third-party DLP solution when you use the Enterprise Grid Plan as a healthcare organization. 

Here’s the thing, even with employee training and awareness, you can’t rely on your people to get things right 100% of the time. Mistakes always happen at some point or another. While this is ok in some instances, it’s not ok when it comes to incorrectly sharing, deleting or editing PHI. 

That’s where solutions like Polymer DLP for Slack come in. Our solution seamlessly monitors your Slack environment to ensure that PHI stays secure at all times. The tool scans your entire workspace to discover, classify and secure sensitive data. From there, it ensures that only trusted users interact with this data in a compliant way, preventing accidental data leakage and data theft.

As well as this, Polymer DLP scans your environment for evidence of risky misconfigurations, helping you to keep Slack’s APIs compliant with HIPAA 24/7. 

Wrapping up

Ultimately, Slack can be a great way for dispersed healthcare organizations to facilitate employee collaboration and communication, but it needs to be used with caution. Make sure you opt-for the Enterprise Grid Plan and support your Slack rollout with a DLP solution to protect PHI. 

To learn more about how Polymer DLP helps you meet HIPAA obligations in Slack, click here or contact us to schedule a demo. 

Polymer is a no-code data loss prevention (DLP) platform that allows companies to monitor, auto-remediate, and apply behavioral techniques to reduce the risk of insider threats, sensitive data misuse, and leakage over third-party SaaS apps. Try Polymer for free.

SHARE

Get latest blogs delivered to your inbox