Is Slack HIPAA Compliant?
Before reading further, if you’re curious about what HIPAA and PHI are, check out our post What is PHI?
Slack for Teams
The standard versions of Slack (Free, Standard, Plus) are not HIPAA compliant. Slack states in their supplement to their Terms of Service specifically for healthcare customers (found here, as of this writing):
Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate” as defined in the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced (“HIPAA”), and that the Services are not HIPAA compliant. Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA (“PHI”) through the Services. Customer agrees that we cannot support and have no liability for PHI received from Customer, notwithstanding anything to the contrary herein.
Slack Enterprise Grid
Slack’s premium product designed for large enterprises, called Enterprise Grid, offers HIPAA compliance. The HIPAA certification is listed on their website here. To achieve HIPAA compliance will require putting in place a Business Associate Agreement (BAA), which is a written contract between a Covered Entity and a Business Associate. HIPAA compliance requires it by law. Slack does not have a BAA available publicly on their website, so you should contact them directly for further information on this.
Slack Enterprise Grid pricing is not available on their website – you’ll need to contact them for pricing. The website states that the service is for managing “multiple interconnected Slack workspaces across your entire company,” meaning it is primarily designed for very large organizations.
As Slack states, to maintain compliance while using all versions of Slack, you’ll need to make sure not to “use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA (“PHI”) through the Services.”
Please keep in mind that HIPAA regulation is broad in scope & purpose, and no one solution will render you fully compliant – each is one piece of the puzzle, and you will likely need a set of policies, tools, and expertise to help across multiple areas, depending on the nature of your business.