How to Make Slack HIPAA Compliant in 2020
Earlier this year, as Slack filed for its IPO, the company also updated its security page to indicate that it offers a HIPAA compliant messaging solution. Since then, Slack has created documentation around its HIPAA compliant features and encourages interested parties to contact their support team for full details. We’ve written a FAQ that addresses some of the more common questions about Slack & HIPAA compliance that we’ve seen others ask.
1. Is Slack HIPAA compliant?
Slack Enterprise Grid can be set up to be HIPAA compliant when the right controls are in place. This is because Slack Enterprise Grid has features that no other version of Slack offers including, for example, the ability to implement your own encryption keys for even greater control over data visibility within your workspaces. It’s important to note, though, that Slack Enterprise Grid isn’t HIPAA compliant out of the box. According to Slack’s help page on HIPAA, businesses must meet certain requirements and install specific controls, such as data loss prevention, before their implementation of Slack can be considered HIPAA compliant.
2. What’s needed to make Slack HIPAA compliant?
Slack’s HIPAA-Compliant Collaboration with Slack document outlines the general process that’s required to make Slack HIPAA compliant. First, HIPAA regulated entities that wish to use Slack must contact the company. Slack will then send the Slack Requirements for HIPAA Entities guide which must be reviewed and agreed to. Finally, HIPAA entities using Slack must sign and execute a business associate agreement (BAA) with Slack. Slack also notes that it might be necessary to enter a BAA with some third-party application providers, like Nightfall or other services in the Slack App Directory. If you choose to work with other service providers, you should speak with them directly to confirm whether or not you’ll need a BAA. The Slack requirements guide, as well as Slack’s BAA, will provide the most comprehensive details on the exact configuration and controls you’ll need in place within Slack. However, the documentation Slack has made publically available broadly illustrates how Slack is intended to be used within a healthcare environment.
3. How is Slack intended to be used in a HIPAA compliant environment?
In a blog post published in July, Slack describes three hypothetical use cases involving a HIPAA compliant Slack Enterprise Grid implementation. These indicate that Slack is only intended to be used between the staff of practitioners and providers. Indeed, both the help center and the Slack document we’ve referenced indicate that: “Slack may not be used to communicate with patients, plan members, or their families or employers.”
Another consideration is that, as of the date of this post, Slack says sharing PHI using features other than messaging and file uploads will put you at risk of violating HIPAA. Furthermore, any channels where PHI is shared must be set as private. Slack’s documentation further specifies other important limitations. For example, there are restrictions on email forwarding Slack messages containing PHI.
To better understand these requirements, you should consult Slack’s HIPAA help center page and the HIPAA-Compliant Collaboration with Slack document, both of which we’ve referenced several times in this post. Covered entities that are interested in Slack should have a clear idea of the use case they envision in light of the details these documents provide and then use them to determine if Slack fits within their existing compliance framework.
4. How does a service like Nightfall make Slack HIPAA compliant?
HIPAA Security Rule standards contain provisions that require regulated entities to audit the attempted access and use of PHI as well as train employees around the proper handling of PHI. Nightfall allows organizations to monitor communication channels like the ones in Slack for PHI. Controls can be put in place to prohibit the sharing of PHI over inappropriate channels, and admins can implement messaging that educates users about the appropriate contexts for sharing PHI. These features can be set up in a matter of minutes and turned into workflows for automated rule enforcement on your Slack channels.
If you’re interested in learning more about Nightfall DLP for Slack, take a look at our guide. To see Nightfall in action and start a free trial, schedule a demo below.