Yes, Slack can be configured to be HIPAA compliant. In this post we will discuss what it takes to operate a Slack account while remaining HIPAA compliant.
Things to Keep in Mind when Using Slack
Do not assume the configuration settings of Slack are optimized for HIPAA compliance by default. It is important to understand that meeting HIPAA requirements combines the technical security control settings in Slack with administrative security controls you are responsible for carrying out.
You must consider each Slack feature on a case by case basis to identify what security controls are available and ensure those controls do not violate your established security procedures.
Choosing the Right Slack Plan for HIPAA Compliance
Slack Enterprise Grid
Note: For users of Slack’s non-enterprise software ,or those that cannot setup up a BAA with Slack Enterprise Grid, HIPAA compliance is not possible and you should keep searching for a compliant team collaboration software that fits your needs. BAA agreements are only available to Slack Enterprise Grid users.
Slack Enterprise Grid software meets the required certification and regulation criteria that enable it to be optimized for HIPAA compliance. From encrypting data in transit and at rest to an enterprise encryption key management solution, Slack has thought of everything when it comes to keeping PHI (Protected Health Information) secure.
For even more details on the security controls available in Slack, check out this amazing Security at Slack White Paper for a complete high-level overview of the latest features for 2019. These controls may not be configured by default, so make sure your team will need to do the rest.
Contact Gazelle Consulting if you have any questions about configuring Slack.
How to Sign a Business Associate Agreement with Slack
The official Security at Slack page lists all the certifications and regulations Slack complies with, including HIPAA. As of April 2019, the instructions on the Security at Slack page ask that you use this slack.com contact form to, “request requirements for HIPAA entities”. When you receive a response from Slack, indicate to them that you may use Slack to handle PHI and would like to set up a business associate agreement.
Deciding if Slack is HIPAA Compliant for You
When choosing HIPAA compliant software, consider your existing security management process. Any collaborative software that stores or transmits PHI should be able to encrypt data, securely store content entered by users, enforce role authorization, enable secure encryption key management, track user activity and any other features that support your HIPAA compliance processes.
Adding new software to information systems that process your PHI is a development you will want to handle with great deliberation and care. Any additional software or tools you add should enhance your HIPAA compliant healthcare services, not cause more vulnerabilities.
Takeaways
- Slack Enterprise Grid can be configured for HIPAA compliance
- Other Slack Plans are NOT able to be configured for HIPAA compliance
- Slack will sign a Business Associate Agreement (BAA)
Are you unsure if Slack is the right communication and collaboration platform to support your healthcare services?
Gazelle Consulting is here to help! Call us today at (503) 389-5666 or email us at info@gazelleconsulting.org. We can answer all of your HIPAA compliance questions and help you feel as confident as a lion in a grassy savanna.