The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that requires privacy and security protections for protected health information (PHI). If you’re a covered entity or business associate subject to HIPAA, Slack can be configured to support PHI within uploaded files and message content.
When a covered entity or business associate has executed a business associate agreement with Slack and is using Enterprise Grid to transmit, upload or communicate about PHI, Slack is deemed a business associate.
Requirements and limitations
Before Slack can support your HIPAA compliance, you must review and agree to implement the guidelines in our Requirements for HIPAA Entities. Please note the following:
You must be using the Slack Enterprise Grid subscription.
You must execute a business associate agreement.
You may not use Slack to communicate with patients, subscription members or their families or employers.
Excluding messages and files, members of your organisation may not include PHI when using other Slack features.
You are responsible for using Slack APIs to implement tools and processes for monitoring your members’ use of Slack. You will need to use Slack’s Discovery APIs, and we recommend setting up an external data loss prevention (DLP) provider to enforce message and file restrictions and exports.
Slack does not maintain the designated record set and should not be the system of record for your health information.
Slack does not have a business associate agreement with any third-party application providers, including those in the Slack Marketplace, so you are responsible for determining whether an agreement is necessary with an application provider before enabling.
Note: It’s not possible to send emails to Slack on HIPAA-compliant organisations.
Request more information
If you like to learn more about Slack and HIPAA, get in touch with us. We’re happy to provide you with more information.