Slack Files to Go Public, Aims to Act as HIPAA Business Associate

The cloud-based communication tool unveiled its S-1 filing, aiming to utilize its HIPAA certification.

Slack, the San Francisco-based business messaging application company, filed its S-1 form Friday morning, becoming the latest Silicon Valley company to announce plans to go public with a healthcare strategy in mind.

The cloud-based communication tool submitted its S-1 filing with the Securities and Exchange Commission (SEC), almost three months after confidentially filing to go public, specifically outlining plans for a healthcare play through the HIPAA certification that the company secured for its Enterprise Grid in February.

The company has offered "limited support" for HIPAA-regulated organizations utilizing the Enterprise Grid, its top-level subscription plan, since 2017, according to the filing.

Slack aims to act as a HIPAA "business associate," a subset of the federal regulation that performs "certain services for, or on behalf of, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information."

Speculation about Slack's healthcare ambitions has mainly centered on the tool being utilized by providers as a way to share protected health information (PHI), though there are concerns about safeguarding patient data from illegal disclosures and security breaches.

Related: Slack Adds HIPAA Certification, May Be Eyeing Healthcare Sector

Throughout its filing, Slack makes numerous references to its HIPAA certification as an opportunity to venture deeper into healthcare, at one point adding that the company could act as a "HIPAA business associate for certain of our paid customers."

In S-1 filings, companies must provide a comprehensive overview of business operations, including any potential risk factors to the enterprise as it prepares to be publicly traded.

Given that Slack's healthcare future is likely reliant on HIPAA compliance, the company did note that failure to meet its HIPAA obligations might result in "significant civil monetary penalties," "criminal penalties with fines and/or imprisonment," and "contractual liability under the applicable business associate agreement."

In February, Chris Apgar, CISSP, president and CEO of Apgar & Associates in Portland, Oregon, noted to HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders, that Slack could run into trouble with vendors accessing sensitive health information on the service.

Apgar stated that while Slack's HIPAA certification includes a business associate agreement (BAA) that covers PHI, it only applies to data shared in files, leaving data shared in messages exposed. Should Slack's vendors access that data without executing a BAA, Apgar said, the company would violate HIPAA.

Slack also noted that the company may be subject to other state health information and patient privacy laws that differ from HIPAA.

Related: Slack is Setting Itself Up For The $3.5 Trillion Healthcare Sector

Still, the company reiterates throughout its filing that it understands the importance of remaining HIPAA compliant and the consequences of failure to meet federal regulations. These include the risks listed above, as well as damages that could "harm our reputation and adversely affect our business."

Throughout the spring, major technology companies have started migrating from private operations in Silicon Valley to begin publicly trading on Wall Street.

Late last month, ridesharing giant Lyft went public and a few weeks later, its rival Uber filed for its long-awaited IPO, eyeing a larger healthcare play.

Both transportation network companies stated in their respective SEC filings that they have ambitions to utilize their software and transportation capabilities as part of innovative healthcare business strategies. 

Related: Lyft Details Healthcare Risks and Opportunities Ahead of IPO

Related: Uber Registers for IPO, Eyes Healthcare Play