Webinar: Join us, Tues 5/24. Nightfall & Hanzo experts will discuss how machine learning can enhance data governance, data security, and the efficiency of legal investigations. Register now ⟶

Blog 2 min read

Is Slack HIPAA Compliant?

by Michael Osakwe Published Apr 08, 2019

Before reading further, if you’re curious about what HIPAA and PHI are, check out our post What is PHI?

Slack for Teams

The standard versions of Slack (Free, Standard, Plus) are not HIPAA compliant. Slack states in their supplement to their Terms of Service specifically for healthcare customers (found here, as of this writing):

Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate” as defined in the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced (“HIPAA”), and that the Services are not HIPAA compliant. Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA (“PHI”) through the Services. Customer agrees that we cannot support and have no liability for PHI received from Customer, notwithstanding anything to the contrary herein.

Slack Enterprise Grid

Slack’s premium product designed for large enterprises, called Enterprise Grid, offers HIPAA compliance. The HIPAA certification is listed on their website here. To achieve HIPAA compliance will require putting in place a Business Associate Agreement (BAA), which is a written contract between a Covered Entity and a Business Associate. HIPAA compliance requires it by law. Slack does not have a BAA available publicly on their website, so you should contact them directly for further information on this.

Slack Enterprise Grid pricing is not available on their website – you’ll need to contact them for pricing. The website states that the service is for managing “multiple interconnected Slack workspaces across your entire company,” meaning it is primarily designed for very large organizations.


As Slack states, to maintain compliance while using all versions of Slack, you’ll need to make sure not to “use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA (“PHI”) through the Services.” 

Please keep in mind that HIPAA regulation is broad in scope & purpose, and no one solution will render you fully compliant – each is one piece of the puzzle, and you will likely need a set of policies, tools, and expertise to help across multiple areas, depending on the nature of your business.

Leveraging Nightfall on your Slack account can enable you discover, classify, and protect certain forms of PHI, like email addresses, phone numbers, social security numbers, and many other classes of sensitive data. In this way, you can immediately detect & remove forms of PHI that may appear in Slack, so you do not violate Slack’s Terms of Use or bring Slack within scope for HIPAA compliance.

Learn more about Nightfall for Slack here, or schedule a demo & start a free trial below.

Subscribe to our newsletter

Receive our latest content and updates

Nightfall logo icon

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.


Schedule a Demo

Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at sales@nightfall.ai.

call to action

See Nightfall in action.

Schedule a demo