Yes, Slack can be configured to be HIPAA compliant. In this post we will discuss what it takes to operate a Slack account while remaining HIPAA compliant.
Do not assume the configuration settings of Slack are optimized for HIPAA compliance by default. It is important to understand that meeting HIPAA requirements combines the technical security control settings in Slack with administrative security controls you are responsible for carrying out.
You must consider each Slack feature on a case by case basis to identify what security controls are available and ensure those controls do not violate your established security procedures.
Choosing the Right Slack Plan
For users of Slack’s non-enterprise software or those that cannot setup up a BAA with Slack Enterprise Grid, HIPAA compliance is not possible and you should keep searching for compliant team collaboration software that fits your needs. BAA agreements are only available to Slack Enterprise Grid users.
Slack Enterprise Grid software meets the required certification and regulation criteria that enable it to be optimized for HIPAA compliance. From encrypting data in transit and at rest to an enterprise encryption key management solution, Slack has thought of everything when it comes to keeping PHI secure.
For even more details on the security controls available in Slack, check out this amazing Security at Slack White Paper for a complete high-level overview of the latest features for 2019. These controls may not be configured by default, so make sure your team will need to do the rest. Contact Gazelle Consulting if you have any questions about configuring Slack.
How to Sign a Business Associate Agreement with Slack
The official Security at Slack page lists all the certifications and regulations Slack complies with, including HIPAA. As of 4/4/2019 the instructions on the Security at Slack page ask that you use this slack.com contact form to, “request requirements for HIPAA entities”. When you receive a response from Slack, indicate to them that you may use Slack to handle PHI and would like to set up a business associate agreement.
Deciding if Slack is HIPAA Compliant for You
When choosing HIPAA compliant software, consider your existing security management process. Any collaborative software that stores or transmits PHI should be able to encrypt data, security store content entered by users, enforce role authorization, enable secure encryption key management, track user activity and any other features that support your HIPAA compliance processes.
Adding new software to information systems that process your PHI is a development you will want to handle with great deliberation and care. Any additional software or tools you add should enhance your HIPAA compliant healthcare services, not cause more vulnerabilities.