At Slack, we are committed to ensuring that the data you share is always protected.
Slack complies with many broadly recognized standards and offers tools to help customers meet their compliance requirements. Companies that are subject to HIPAA (the Health Insurance Portability and Accountability Act of 1996) such as health plans, health-care providers, health insurance companies, health benefit providers, and the many businesses that provide them with services, can configure Slack Enterprise Grid to support HIPAA-compliant collaboration. When Slack is helping these customers carry out health-care activities or functions, Slack is a vendor/service provider classified as a business associate (BA) under HIPAA.
Health-care organizations using Slack while maintaining HIPAA compliance
Share protected health information confidently
Enterprise Grid is Slack’s solution for large, complex organizations. It includes all of the security and governance functionality you expect in an enterprise solution but with an intuitive, consumer-software-like experience that results in a high rate of adoption.
When configured and used according to Slack’s specific requirements for HIPAA entities, teams collaborating on Enterprise Grid can share Protected Health Information (PHI) within direct, group and channel messaging, and in file uploads.
Control your company’s use of Slack
Compliance monitoring is not one-size-fits-all. Slack Enterprise Grid provides APIs to support monitoring of access, activity and data in customer workspaces. This ensures that every company can implement tools and processes that are right for them. You can use Slack’s Discovery APIs and set up an external Data Loss Prevention (DLP) provider to enforce message and file restrictions and export message and file content for HIPAA compliance.
Slack partners with many best-of-breed providers that may already be present in your company.
- Download logs of activity within your Slack workspaces
- Capture events like file downloads, file uploads and admin setting changes
Data Loss Prevention
- API-based with pre-built connectors to leading solution partners
- Integrated DLP solutions have complete access to all content within your enterprise organization
Partner enabled functionality:
- Monitor messages and files in public channels, private channels and direct messages
- Actively quarantine and remove noncompliant content in near real time
What you should know about using Slack in a HIPAA-regulated environment
Slack Plan Supported: Enterprise Grid
Requirements: Contact Slack to get the Slack Requirements for HIPAA Entities guide
Other tools you will need: DLP solution, SSO solution, backup/archival
- Review and commit to implementing the Slack Requirements for HIPAA Entities guide
- Sign Slack’s business associate agreement (BAA)
- Provide Slack with a list of all Slack orgs or workspaces with which you plan to use PHI
More on Slack requirements for HIPAA entities
- The Slack Requirements for HIPAA Entities guide is the only comprehensive source of implementation requirements.
- Slack may not be used to communicate with patients, plan members, or their families or employers. Patients, plan members, and their families or employers may not be added as users or guests to any Slack workspaces or channels.
- While users may discuss Protected Health Information in message content and upload files that contain PHI, users may not include PHI in some specific fields.
- There are restrictions on using email forwarding and ingestion with Slack if transmitting PHI over email.
- There are controls needed if using shared channels to communicate between two separate companies or workspaces.
- Channels in which PHI may be shared through messages or documents should be set as private.
- You must inform your users about how to use and configure Slack so it can be used in compliant ways. You can do so by using various available Slack capabilities such as custom terms of service, customizable bots, mandatory organization-wide channels, pinned posts and PHI deletion notifications.
- There are special considerations for devices, adding users, patient home visits and other situations.