Slack Guide for HIPAA Entities

Slack, through its enterprise-level product plans, is able to offer Covered Entities and Business Associates a way to use Slack services (the “Services”) in a manner consistent with their compliance obligations. Customers that are subject to the Health Insurance Portability and Accountability Act (“HIPAA”) and intend to transmit, upload, or communicate about protected health information (“PHI”) through the Services must sign a Business Associate Agreement (“BAA”) with Slack and use the Services in accordance with the Requirements Section of this Guide for HIPAA Entities (“Guide”), which are also incorporated in the Salesforce BAA Restrictions Article. For clarity, Slack is an Affiliate of Salesforce, and references to "Salesforce" that may be in Customer’s contract or BAA include Slack.

In addition to the Requirements for entering PHI through the Services, this Guide contains important configuration considerations. Please read this entire document and ensure that the limitations conform with your intended use of the Services. You must ensure that your Workforce members (as defined by HIPAA) are familiar with these requirements and limitations before provisioning access to them.

We may update or revise this Guide from time to time. We will provide you with notice of material changes and an updated copy through your owner or administrator. For more information about your company’s BAA or this Guide, please contact your Slack sales representative. Capitalized terms not defined in this Guide have the meanings given to them in HIPAA.

1. Enterprise-Level Slack Plan: You must purchase an enterprise-level Slack plan. Slack’s enterprise plans offer capabilities to monitor and remove activity and content in your workspaces.

2. Advance Notice to Slack of Permitted Organizations or Workspaces or Purchase of the “Slack - HIPAA Enabled” SKU. To ensure workspaces are properly provisioned and supported, Slack must be made aware in advance of organizations or workspaces in which Customer intends to submit, collect, or use PHI.

   Prior to March 20, 2023, Customer must have notified Slack in advance in writing (email ok) of the name and URL of each organization or workspace with which Customer intends to submit, collect, or use PHI and received confirmation in writing (email ok) that HIPAA readiness had been enabled. On or after March 20, 2023, Customer must purchase Slack HIPAA Enabled along with a covered enterprise plan (as well as sign a BAA).

   Please note: for Enterprise Grid customers, Slack will enable the backend HIPAA flag for all workspaces within the designated organization, including new workspaces later created within that organization. BAA coverage will NOT automatically extend to every organization or workspace owned by a given Customer, only those appropriately designated as being HIPAA-enabled

By purchasing Slack, you have available the full capabilities of the purchased Services. However, if you or your users transmit, upload, or communicate about PHI through the Services, you must comply with the following limitations:

1. Slack Users. The Services are designed for work collaboration but may not be used to communicate with patients, plan members, or their families or employers. Patients, plan members, and their families or employers may not be added as users or guests to any Slack workspaces or channels.
2. PHI-Prohibited Slack Fields. Users may not include PHI in any of the following:
   1. File names
   2. Channel names
   3. Canvas names
   4. Slack user profile data
   5. Custom Slack profile fields
   6. Custom emoji names
   7. Custom statuses
   8. Workspace or Organization name or URL domain
   9. Enterprise Mobility Management custom messages
   10. The name or handle of user groups
   11. Custom Platform app and workflow metadata, including app name, function name, workflow name, function code, and datastore information
3. Users may include PHI in the contents of messages, files, huddles, video and audio clips, and data submitted to custom apps built by Customer to run on Slack Infrastructure.
4. Support Requests. When initiating a support request through any means—including through a “/feedback” command in a Slack channel, through the Slack website “Contact Us” page, or through Slack’s Live Chat offering—users must not include any PHI in the support request or attach any screenshots or documents that include PHI.
5. Email Ingestion: Users that transmit or receive any PHI by email must not use Slack’s native email ingestion capabilities to forward emails into Slack.
6. Slack Connect: Slack Connect allows users from different companies to communicate and collaborate right in Slack. If you use Slack Connect to communicate between two separate organizations, you must ensure that you have the appropriate permissions, where necessary, to share PHI with such recipients and that such communications comply with applicable legal requirements.

We hope you will find Slack makes your work life simpler and more productive. This section highlights some Slack features and limitations we would like you to be aware of as you consider how to configure and use Slack consistent with your HIPAA compliance obligations and risk analysis:

1. Session Management. Configure use of single sign-on (“SSO”) to manage access and authorization, and implement other session management requirements (such as session duration limits) for Slack users. Please see Slack’s guides to configure access & security, such as Slack’s SSO guide and management session duration, for more information. Please note that there are no session timeouts for Slack on mobile devices. Users maintain continuous connection to the Services.
2. Use of Audit Logs and Data Loss Prevention Tools. Slack provides APIs to support monitoring of access, activity, and data entered into your workspaces. You are responsible for using those APIs to implement your own tools and processes for monitoring your users’ use of Slack, including integration of a Data Loss Prevention (“DLP”) tool for enforcement of message and file restrictions and export. For information on these APIs, please see A guide to Slack’s Discovery APIs and Monitoring workspace events with the Audit Logs API.
3. Channel Settings. Channels may be set as public or private. Public channels can be viewed or previewed by anybody with access to the workspace; users can browse public channels without restriction. Public channel information (such as channel name, topic and purpose, message content, and files) is visible to all users in your workspaces. Set channels in which PHI may be shared through messages or documents as private. Private channels are visible only to those who have been added to the channel, and to any administrators, owners, and others that may have access to your export or Discovery API tools.
4. Notifying Your Workforce. The Services include a variety of recommended tools to communicate your HIPAA requirements, including those in this Guide, to your users and guests.
   1. Custom Terms of Service. The Enterprise Grid plan allows you to outline user terms and conditions for your organization in a customized Terms of Service (“TOS”). The customized TOS is presented to new Slack users for agreement when they create accounts in your organization. You can also consider use of pinned posts in org-wide channels (discussed below) or custom messages in your Slack invitation.
   2. Customizable Bots. You can create a bot to communicate notices (e.g., about where PHI may and may not be submitted) and monitor workspace use.
   3. Mandatory Org-Wide Channels. You can default all users into a mandatory org-wide channel to communicate relevant announcements and updates to the entire org.
   4. Pinned Posts. Important notices can be pinned to a channel or message and will remain accessible in the details pane. For example, you can pin a post to a mandatory org-wide channel that reminds users not to include PHI in any support requests.
   5. PHI Deletion Notifications. If your configured DLP tool detects and deletes unauthorized PHI within Slack, you can display a customized notification contextually alongside the deleted post to educate your Workforce. For more information about integrating your DLP tool into Slack’s API, please contact your Account Executive or send our support team a note.
5. Adding Users. Slack allows you to set default channels for a new user to automatically join. Prior to adding a new user, confirm that the user is directed to the right channels with the appropriate settings. When a user is added to a private channel, the user can see all content in the channel, including information that was shared in the channel before the user was added. Thus before adding a new user to a private channel, confirm access to all content in the channel is appropriate. In addition, do not include PHI in any custom invitations to users to join your workspace or channel.
6. Patient Home Visits. If using Slack in connection with a patient home visit (e.g., home health nurse), do not connect to the patient’s home WiFi network unless you are using a corporate VPN or other mechanism to obscure the network’s IP address since location may be inferred. If Slack offers location-sharing capabilities, do not enable such capabilities if you utilize Slack in connection with patient home visits.
7. Device Considerations.
   1. Slack may store some data (like message edits in progress) locally on a device running the Slack app or browser session. Ensure all devices running slack apps or browser sessions are encrypted and are properly configured with lock screens that require authentication
   2. Mobile device notifications may appear on the lock screen of a mobile device. Disable mobile device notifications or require users to enable lock screen notifications that do not share any content prior to unlocking the phone
8. Sharing Files. Once an uploaded file is shared in any public channel, it cannot be made private again within the team unless the underlying file itself is deleted. Even if unshared from all public channels, file metadata (but not content) still remains available for file searches as long as the file has not been deleted.
9. Third-Party App Integrations. The Slack App Directory provides third-party tools that integrate with the Services. Slack does not have a BAA with these third parties. It is your responsibility to determine whether a BAA between your company and such third parties is necessary and, if so, handle execution of such directly with the third party. You may choose to restrict third-party tools you have determined are not appropriate for your workspace. For more information on app management, please review the collected resources on managing apps and workflows.
10. Search, Learning, and Intelligence. Slack trains computer models to improve search and customize the Services for end users within a specific Slack organization. If PHI is submitted to Slack, it may be indexed, stored, and processed to help enable these features (such as autocomplete, ranking of search results, or message highlights) as part of the Services Slack provides to your organization. These improvements will only go to your organization; they will not be shared with the Slack services as a whole. Search will return search results from all public channels, even if the user is not currently a member of those channels. Search results may include data from third-party integrations which push content into Slack.
11. Custom Content and Commands. Slack allows a variety of ways to customize your workspace, like uploading emojis and creating bots. Please carefully review the audience that will have access to any customizations to determine whether PHI may be included as part of any customizations, if applicable. For example, custom emojis and Slackbot responses will be visible to all members of the workspace and so cannot include PHI. In addition, Slack does not support PHI as part of a custom slash command associated with a Slack app (e.g., /[PHI]) but this prohibition does not extend to the parameters input by the user when accessing the slash command.
12. Data Backup and Emergency Access. You are responsible for implementing backup and recovery procedures for emergency access and archiving of PHI. Slack cannot serve as your system of record for PHI.
13. Data Retention. You should customize your message and file retention policies according to your needs and HIPAA obligations. Unless earlier deleted by a member of your workspace, Slack will maintain your message and file data for thirty (30) days after your commercial agreement with Slack expires or is terminated. You are responsible for obtaining a copy of any data you wish to retain within thirty (30) days following the expiration or termination of that agreement. To obtain a copy prior to deletion, please use the export capabilities of the Discovery APIs made available as part of the Services.