Is Slack HIPAA Compliant?

Is Slack HIPAA Compliant?

Guide to HIPAA compliance on Slack. Learn about using Slack in a HIPAA compliant way.

Before reading further, if you're curious about what HIPAA and PHI are, check out our posts What is HIPAA? and What is PHI?

Slack for Teams

The standard versions of Slack (Free, Standard, Plus) are not HIPAA compliant. Slack states in their supplement to their Terms of Service specifically for healthcare customers (found here, as of this writing):

Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate” as defined in the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced (“HIPAA”), and that the Services are not HIPAA compliant. Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA (“PHI”) through the Services. Customer agrees that we cannot support and have no liability for PHI received from Customer, notwithstanding anything to the contrary herein.

Slack Enterprise Grid

Slack's premium product designed for large enterprises, called Enterprise Grid, offers HIPAA compliance. The HIPAA certification is listed on their website here. To achieve HIPAA compliance will require putting in place a Business Associate Agreement (BAA), which is a written contract between a Covered Entity and a Business Associate. HIPAA compliance requires it by law. Slack does not have a BAA available publicly on their website, so you should contact them directly for further information on this.

Slack Enterprise Grid pricing is not available on their website - you'll need to contact them for pricing. The website states that the service is for managing "multiple interconnected Slack workspaces across your entire company," meaning it is primarily designed for very large organizations.

Compliance

As Slack states, to maintain compliance while using all versions of Slack, you'll need to make sure not to "use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA (“PHI”) through the Services." 

Please keep in mind that HIPAA regulation is broad in scope & purpose, and no one solution will render you fully compliant - each is one piece of the puzzle, and you will likely need a set of policies, tools, and expertise to help across multiple areas, depending on the nature of your business.

Leveraging Watchtower on your Slack account can enable you discover, classify, and protect certain forms of PHI, like email addresses, phone numbers, social security numbers, and many other classes of sensitive data. In this way, you can immediately detect & remove forms of PHI that may appear in Slack, so you do not violate Slack's Terms of Use or bring Slack within scope for HIPAA compliance.

Learn more about Watchtower for Slack here, or schedule a demo & start a free trial here.

The California Consumer Privacy Act (CCPA)—What you need to know

The California Consumer Privacy Act (CCPA)—What you need to know