Slack adds HIPAA compliance to its certifications, may be aiming for healthcare sector

Slack, a messaging and chat application for businesses, recently updated its listing of compliance certifications and regulations to include HIPAA. The company also confidentially filed to go public with the Securities and Exchange Commission on Monday. These moves suggest Slack may be working toward functionality that would allow healthcare providers to share sensitive patient health information, CNBC reports.

In addition to the updated list, Slack stated on Twitter that Slack Enterprise Grid is the only version of its product that complies with HIPAA regulations. Enterprise Grid is used by large organizations to connect multiple interconnected workspaces.

According to Slack, the criteria that HIPAA entities must meet to use Enterprise Grid are:

• Minimum of 250 active Slack workspace members
• Organization must use a Security Assertion Markup Language based Identity Provider for single sign-on management
• Slack's business associate agreement (BAA) only covers protected health information (PHI) shared in files, not messages

Since Slack launched in 2013, other applications like Stitch, for example, have been developed specifically for healthcare messaging and that also claim to be HIPAA compliant.

Slack’s move may present a compliance issues for vendors notes Chris Apgar, CISSP, president and CEO of Apgar & Associates in Portland, Oregon. “There is more to it than a potentially unsecure channel. This also represents a compliance issue. Even if Slack was secure, any vendors who are business associates would need to execute a BAA with Slack, otherwise it’s a violation of HIPAA,” says Apgar.

The 2013 Final Omnibus Rule expanded the applicability of HIPAA to any business associate (BA) that handles PHI, including BAs that were previously considered subcontractors. HIPAA requires that all covered entities and business associates enter into contracts, known as BAAs. All BAs are responsible for compliance with HIPAA’s Security Rule and are directly liable and subject to civil or criminal penalties for unauthorized uses and disclosures of PHI.

Further, HIPAA compliance refers to having a full-blown information security program, including, but not limited to, company-wide policies, processes, physical security, and—but not only—technical controls, says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts.

 “Technical controls follow policies and are not the driver of HIPAA compliance. What Slack probably means by saying that file uploads are HIPAA compliant is that the technology underlying file uploads employs adequate security,” Borten says.