Skip to main content

Analysis

Slack Adds HIPAA Certification, May Be Eyeing Healthcare Sector

By Revenue Cycle Advisor  
   February 08, 2019

Recent moves by the less-than-6-year-old messaging app suggest it may be looking to work with healthcare providers and sensitive patient data.

Editor's note: This story was first published by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders, on Friday, February 8, 2019.

Slack, a messaging and chat application for businesses, recently updated its listing of compliance certifications and regulations to include HIPAA.

The company also confidentially filed Monday to go public with the Securities and Exchange Commission. These moves suggest Slack may be working toward functionality that would allow healthcare providers to share sensitive patient health information, as CNBC's Christina Farr reports.

In addition to the updated list, Slack stated on Twitter that Slack Enterprise Grid is the only version of its product that complies with HIPAA regulations. Enterprise Grid is used by large organizations to connect multiple interconnected workspaces.

According to Slack, the criteria that HIPAA entities must meet to use Enterprise Grid are:

  • Minimum of 250 active Slack workspace members
     
  • Organization must use a Security Assertion Markup Language based Identity Provider for single sign-on management
     
  • Slack's business associate agreement (BAA) only covers protected health information (PHI) shared in files, not messages

Since Slack launched in 2013, other applications, such as Stitch, have been developed specifically for healthcare messaging and have purported to be HIPAA compliant.

Slack's move may present a compliance issue for vendors, notes Chris Apgar, CISSP, president and CEO of Apgar & Associates in Portland, Oregon.

"There is more to it than a potentially unsecure channel. This also represents a compliance issue. Even if Slack was secure, any vendors who are business associates would need to execute a BAA with Slack, otherwise it's a violation of HIPAA," says Apgar.

The 2013 Final Omnibus Rule expanded the applicability of HIPAA to any business associate (BA) that handles PHI, including BAs that were previously considered subcontractors. HIPAA requires that all covered entities and business associates enter into contracts, known as BAAs. All BAs are responsible for compliance with HIPAA's Security Rule and are directly liable and subject to civil or criminal penalties for unauthorized uses and disclosures of PHI.

Further, HIPAA compliance refers to having a full-blown information security program including but not limited to company-wide policies, processes, physical security, and—but not only—technical controls, says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts.

"Technical controls follow policies and are not the driver of HIPAA compliance," Borten says. "What Slack probably means by saying that file uploads are HIPAA compliant is that the technology underlying file uploads employs adequate security."

Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.

Photo credit: BERLIN, GERMANY - JANUARY 19, 2019: Close up to new Slack team chat app on the screen of an iPhone 7 Plus with personalized background. (Editorial credit: MichaelJayBerlin / Shutterstock.com)


Get the latest on healthcare leadership in your inbox.