It seems like every startup in Silicon Valley uses Slack nowadays. Customers and prospects also ask about Slack and whether or not it's HIPAA compliant. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud providers and their capabilities for HIPAA compliance:
The purpose of this post is to determine if Slack offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
Slack is a wildly popular set of cloud-based team collaboration tools and services. Launched in August 2013, the company's name is an acronym for Searchable Log of All Conversation and Knowledge.
Slack and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. HIPAA compliance requires it by law. We checked Slack's site and found a Terms of Service supplement page called Customer-Specific Supplement (Effective: November 17, 2016). In the page, Slack points out: "Customer acknowledges that we are not a Business Associate or subcontractor (as defined in HIPAA) and that the Services are not HIPAA compliant. Customer must not submit, collect or use any “personal health information” as defined in 45 CFR §160.103 (“PHI”), with or to the Services. Customer agrees that we have no liability for PHI received from Customer, notwithstanding anything to the contrary herein."
Does Slack Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Although Slack specifically states in their Terms of Service supplement they do not offer a BAA, we found updated information on other sections of their site.
Slack Updates and Changes
We also found a Slack Updates and Changes page from February 2017 that states: Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant. On the Security at Slack page, we can see that Slack lists HIPAA under its Compliance certifications and regulations section.
As of today, it appears only Slack's Enterprise Grid plan offers HIPAA Compliance. We highly recommend reaching out to Slack directly to verify.