How fintech startup Amount manages data security across cloud collaboration platforms with Nightfall: Watch the story now.
How to Make Slack HIPAA Compliant in 2021
As digital transformation continues post-COVID more organizations, including those covered by HIPAA, will seek out SaaS solutions that make collaboration easier. Fortunately more and more applications like Slack are enabling HIPAA compliant use. In early 2019 as Slack filed for its IPO, the company also updated its security page to provide details on its qualifications as a HIPAA compliant messaging app. Slack provides a lot of documentation to help guide HIPAA covered entities seeking to use the platform and encourages them to contact their support team for additional details. Below is a FAQ we’ve put together to help direct your conversation with Slack.
1. Is Slack HIPAA compliant?
Slack Enterprise Grid can be set up to be HIPAA compliant when the right controls are in place. This is because Slack Enterprise Grid has features that no other version of Slack offers including, for example, the ability to implement your own encryption keys for even greater control over data visibility within your workspaces. It’s important to note, though, that Slack Enterprise Grid isn’t HIPAA compliant out of the box. According to Slack’s help page on HIPAA, businesses must meet certain requirements and install specific controls, such as data loss prevention, before their implementation of Slack can be considered HIPAA compliant.
2. What’s needed to make Slack HIPAA compliant?
Slack’s HIPAA-Compliant Collaboration with Slack document outlines the general process that’s required to make Slack HIPAA compliant. First, HIPAA regulated entities that wish to use Slack must contact the company. Slack will then send the Slack Requirements for HIPAA Entities guide which must be reviewed and agreed to. Finally, HIPAA entities using Slack must sign and execute a business associate agreement (BAA) with Slack. Slack also notes that it might be necessary to enter a BAA with some third-party application providers, like Nightfall or other services in the Slack App Directory. If you choose to work with other service providers, you should speak with them directly to confirm whether you’ll need a BAA. The Slack requirements guide, as well as Slack’s BAA, will provide the most comprehensive details on the exact configuration and controls you’ll need in place within Slack. However, the documentation Slack has made publicly available broadly illustrates how Slack is intended to be used within a healthcare environment.
3. How is Slack intended to be used in a HIPAA compliant environment?
In a blog post published in July of 2019, Slack describes three hypothetical use cases involving a HIPAA compliant Slack Enterprise Grid implementation. These indicate that Slack is only intended to be used between the staff of practitioners and providers. Indeed, both the help center and the Slack document we’ve referenced indicate that: “Slack may not be used to communicate with patients, plan members, or their families or employers.”
Another consideration is that, as of the date of this post, Slack says sharing PHI using features other than messaging and file uploads will put you at risk of violating HIPAA. Furthermore, any channels where PHI is shared must be set as private. Slack’s documentation further specifies other important limitations. For example, there are restrictions on email forwarding Slack messages containing PHI.
To better understand these requirements, you should consult Slack’s HIPAA help center page and the HIPAA-Compliant Collaboration with Slack document, both of which we’ve referenced several times in this post. Covered entities that are interested in Slack should have a clear idea of the use case they envision in light of the details these documents provide and then use them to determine if Slack fits within their existing compliance framework.
4. How does a service like Nightfall make Slack HIPAA compliant?
HIPAA Security Rule standards contain provisions that require regulated entities to audit the attempted access and use of PHI as well as train employees around the proper handling of PHI. Nightfall allows organizations to monitor communication channels like the ones in Slack for PHI. Controls can be put in place to prohibit the sharing of PHI over inappropriate channels, and admins can implement messaging that educates users about the appropriate contexts for sharing PHI. These features can be set up in a matter of minutes and turned into workflows for automated rule enforcement on your Slack channels.
If you’re interested in learning more about Nightfall DLP for Slack, take a look at our guide to HIPAA compliance on Slack. To see Nightfall in action and start a free trial, schedule a demo below.
Subscribe to our newsletter
Receive our latest content and updates
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.
Schedule a Demo
Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at firstname.lastname@example.org.