Is Slack HIPAA Compliant? The Issues With Using Slack for Telemedicine

Posted by Michael Hsu on 5/22/20 6:15 AM
Michael Hsu

Slack is a powerful communication tool that enables organizations to communicate essential business information among their employees effectively. Given the fact that it facilitates collaboration and is quick to set up and easy to use, more and more businesses are opting to use Slack for internal communication. 

When it comes to direct communication with patients, the situation is a bit different. On top of that, healthcare providers must address one major concern before opting to use Slack as a means of communicating with their patients. 

As is the case with any communication app that would be used for transferring electronic protected health information (ePHI), medical practices must ensure the application in question is HIPAA compliant. 

Is Slack HIPAA compliant?

The standard version of Slack does not comply with any of the HIPAA regulations since it doesn’t provide any technical or administrative safeguards. Given the popularity of the platform and Slack’s rapid growth, the company decided to develop a separate solution geared towards larger organizations, including healthcare providers. 

This resulted in the Slack Enterprise Grid — an application that’s written using a completely different code than the standard Slack app, developed for companies with over 500 employees in mind. 

The company’s idea was to develop an upgraded version of the existing application that would “meet the rigorous security needs of customers in highly regulated industries,” as Geoff Belknap, Chief Security Officer at Slack, stated back in 2017. 

The added security features include: 

  • Data encryption
  • Message retention
  • Support for audit logs and Data Loss Prevention (DLP) 

On paper, these features perfectly align with HIPAA rules and regulations. The Slack Enterprise Grid platform also creates detailed access logs and provides administrators with the ability to remotely terminate connections with the app, as well as sign out specific users when necessary. 

Slack Enterprise Grid includes two-factor authentication, unlike the standard app that simply requests username and password, and can be set up to automatically log you in when you open the app. This resolves the issue of unauthorized access, which may pose a significant risk to the healthcare organization since, without the two-factor authentication, other people might have easy access to PHI via employees’ phones or computers.

The enterprise platform also creates offsite backups, which is another HIPAA compliance requirement, and is compliant with the National Institute of Standards and Technology (NIST) standards, as well as SOC2 and SOC3 auditing procedures.

That said, if we scratch the surface and take a deeper look into Slack’s enterprise solution, we’ll encounter quite a few grey areas. 

It also becomes evident that, when it comes to the needs of healthcare organizations, the platform offers extremely limited functionality. 

The issues with Slack Enterprise Grid

You don’t have to be an investigative journalist to figure out that there are many issues with Slack Enterprise Grid regarding HIPAA compliance. All you need to do is navigate to Slack’s help center and check out the requirements and limitations regarding Slack and HIPAA.

Slack Enterprise Grid and HIPAA compliance

s1

Image source: Slack and HIPAA

Let’s break down each of these requirements and limitations, so you can better understand their implications and the amount of effort necessary to make Slack HIPAA compliant. 

You must switch to the Slack Enterprise Grid Plan

This one is a given, but what exactly does switching to this plan entail? For starters, the enterprise solution is only available to organizations with over 250 active Slack workspace members. 

Essentially, you must:

  1. Already be using Slack
  2. Have 250 members on your Slack account

This means Slack Enterprise Grid is out of the question for small and medium-sized practices. Even if you do have over 250 employees, you would have to first purchase the standard package and wait for Slack to verify you have the 250 active workspace accounts. 

This adds an additional step that would take several days, at the very least, before you can even consider fulfilling all the other requirements to make the enterprise platform HIPAA compliant. 

You must sign a Business Associate Agreement

In and of itself, Slack Enterprise Grid isn’t and cannot be fully HIPAA compliant. They can simply implement certain security measures that enable you to make the platform HIPAA compliant, but it still falls on you as the healthcare provider to figure out how you’re going to set up external Data Loss Prevention, for instance. 

This is a typical marketing gimmick on Slack’s part. While they say that Slack Enterprise Grid offers support for Data Loss Prevention (DLP), they mean it’s possible to integrate a third-party DLP solution with the platform. Unlike fully HIPAA compliant platforms, such as Curogram, that were specifically built to include all the required mechanisms and safeguards, Slack can merely support these features, but does not provide them by default. This is another time-consuming task you need to take care of before you can start admitting patients online. 

There’s also the fact that you need to contact Slack directly and request to sign a Business Associate Agreement (BAA) with them before you can start using the platform for any type of protected health information (PHI) transfer. 

These two requirements tie in together because the BAA states that you — the healthcare provider — are responsible for figuring out solutions for other requirements, like: 

  • eDiscovery
  • SAML-based SSO
  • Audit Log solutions
  • Data backup archives

You will have to find third-party providers to fill in these gaps, as well as sign additional BAAs with them, if necessary.

As a healthcare provider, you are also responsible for utilizing the application in a HIPAA-compliant manner. In other words, it’s possible to use Slack Enterprise Grid in a way that is not HIPAA-compliant, so all of your employees would have to be extra careful.

You can’t communicate with patients via Slack

Herein lies the biggest issue with Slack Enterprise Grid — Slack itself doesn’t permit direct communication with patients. 

The only way medical workers can utilize Slack is to exchange medical information amongst themselves, and only as messages and files. 

Slack specifically states that other Slack features, such as voice calls, aren’t HIPAA compliant. This means you’d have to type out all the patient information or visit summary if you want to share it with a college via Slack.  Slack also doesn't have the HIPAA compliant texting feature, which can be a hassle in communication with both the patients and the staff.

Plus, you would have to manually input that information in your EHR, meaning you’d spend a better part of your day handling administrative tasks, rather than providing care to your patients. 

This also implies you would have to find a completely different solution that would enable you to interact with your customers, and go through the entire process of ensuring it’s HIPAA compliant before you can enable online scheduling and virtual appointments. 

Slack vs. Curogram

 

Curogram

Slack

Doctor-to-patient communication

Yes 

No

HIPAA compliant staff messaging

Yes 

Yes

Video platform for online appointments

Yes 

No

EHR integration

Yes 

No

Two-way authentication

Yes

Yes

Even if Slack Enterprise Grid could be (in theory) made HIPAA compliant, that still doesn’t mean it’s a viable solution for healthcare organizations. Slack is simply a tool for internal communication, and that’s all it will ever be. 

This begs the question — why would you opt for Slack in the first place if it doesn’t allow you to communicate with your patients? The only thing Slack Enterprise Grid provides is the ability to use it for HIPAA compliant staff messaging, albeit after going through a world of trouble to ensure all requirements are met.

That’s why we firmly believe you should look for an alternative that would ensure you stay HIPAA compliant without giving you a headache, all the while enabling you to provide your patients with an advanced telemedicine solution.

Why it’s important for healthcare providers to offer remote services

As technology advances, the needs of customers evolve. Healthcare is no exception — as the popularity of telemedicine increases, patients around the world expect to easily connect with their doctors online, through their smartphones, tablets, and computers. 

Healthcare providers should no longer look at telemedicine as a luxury. The COVID-19 outbreak showed us all that it’s necessary to have a solution in place that would allow patients to reach their healthcare providers remotely. 

This proved to be a challenge for the vast majority of healthcare providers, who were caught off guard by the sudden need to admit their patients online and scrambled to find HIPAA compliant telemedicine solutions at short notice. 

The U.S. Department of Health and Human Services made an exception for the COVID-19 pandemic and issued a Notification of Enforcement Discretion, enabling healthcare organizations to use non-HIPAA compliant solutions for the duration of the emergency. 

Note that this is an exception, and continuing to use non-HIPAA compliant solutions after the emergency would put your practice at great risk. Most of the non-compliant alternatives are not secure, meaning the PHI could be compromised, which is a severe violation of HIPAA rules and regulations—one that would certainly not be overlooked, regardless of the situation.

Most of these patchwork solutions are rather complex and don’t integrate with EHRs. This means you’d have to train your staff on how to use a specific application, they’d have to manually enter the data into your EHR, and there would be no way to mitigate the risks. 

You would also have to drop the solution as soon as the COVID-19 national emergency is over and look for a HIPAA-compliant alternative that would enable you to continue providing remote services to your patients. 

So, why not choose a fully HIPAA compliant solution in the first place, that you could continue using in the future? 

Whether you want to offer remote services temporarily or want to include virtual clinics and online appointment scheduling in your core services, there are a few things to consider when selecting a telemedicine solution.

What to look for in a telemedicine solution? 

In our opinion, doctors should focus on treating patients, rather than solving complex IT riddles and wasting their time on redundant administrative tasks. 

That’s why we believe a telemedicine solution should:

  1. Be easy for patients to use
  2. Be easy for medical workers to use
  3. Enable HIPAA compliant staff messaging
  4. Mimic the old work environment

Easy for patients to use

The first thing you should consider when choosing a telemedicine solution is how your patients will interact with it. You want to avoid complex apps that patients might find confusing. There is no need for the application to be fancy and have dozens of different options that the patient needs to check out before scheduling an appointment. 

Curogram offers a simpler, faster, easier solution. When a patient schedules an appointment through your website, Curogram enables you to send them templated text messages as confirmation of their appointment. The templates are easily customizable, and you can adjust them according to your business needs in minutes.

Upon receiving the text message, customers can choose whether they’d wish to come in person or opt for an online appointment, for instance. Curogram’s messaging platform is fully HIPAA compliant and allows for two-way messaging, meaning you can easily communicate with your patients. They’ll receive reminders on their phones, and can simply message you back if they wish to reschedule. 

For online appointments, you can simply send them a link that they can follow from their phone to join the virtual waiting room. They can download the patient app from there with a single tap, simply type in their email and provide additional documents, such as their medical records or photos, when necessary. 

It doesn’t get any easier than this! 

Easy for medical workers to use

The solution should also be easy to use from the healthcare providers’ perspective. What this means is that a telemedicine solution should provide workflows that closely resemble in-person appointments and enable the doctors, MAs, and other medical staff to do their jobs as efficiently as possible.

Simply providing a video platform isn’t enough. A good telemedicine solution should include virtual waiting rooms and enable the medical staff to properly prep the patients before they get in touch with the doctor online, as well as make it easy to document each visit. MAs and doctors can see every patient in the waiting room, including each patient’s waiting time. 

The staff can prepare patients beforehand, and any available doctor can start a video chat with a patient as soon as they are ready. This saves doctors a ton of time, allowing them to simply focus on the appointment and admit up to 40+ patients a day, without having to worry about administrative work.

Curogram lets you take care of everything from a single dashboard: 

  1. Sending smart SMS reminders (through easily customizable templates)
  2. Communicating with patients prior to the visit
  3. Hosting video chats between doctors and patients
  4. Sending intake forms and checking patients in
  5. Sending visit summaries to your patients

Our advanced telemedicine solution also integrates with over 700 EHRs, meaning all the relevant medical information, including visit summaries, is automatically stored in your electronic health records, so there’s no need for double data entry. 

Curogram EHR integrations

eClinicalWorks

Athena

Epic

Cerner

DrChrono

NextGen

Practice Fusion

CareCloud

Kareo

OfficeAlly

See More Integrations Here

Enables HIPAA compliant staff messaging

Curogram includes a HIPAA compliant messaging platform for your staff, enabling them to easily share medical information with each other. 

With Curogram, your employees can:

  • Quickly upload medical files and share PHI in a completely secure environment
  • Get in touch with colleagues in seconds, whenever necessary 

Without HIPAA compliant staff messaging, your employees would have to resort to sharing PHI through consumer apps on their phone, which can be extremely risky since non-medical staff may have access to their phones. On top of that, these apps don’t follow the HIPAA technical safeguards, meaning the sensitive patient information could be compromised. 

The platform assigns your practice a local number, so patients will always receive texts from the same phone number. Staff members can simply forward messages and requests to their colleagues when their expertise is required to answer customers’ questions, ease their concerns, or provide medical advice.

Your employees can also chat on the platform in-between appointments, given that the information shared between them is fully encrypted and only accessible by the parties participating in the conversation. 

They can also create groups where they can discuss work and other topics while they’re on “standby” to help pass the time and maintain the feeling of being in a business environment, even while working from home. 

Quick and painless transition to telemedicine with Curogram

Switching to telemedicine or simply integrating remote service can prove quite challenging for most practices. 

First, you have to take the time to find a proper solution — and we don’t mean one that can be made HIPAA compliant. It also has to be intuitive, easy to use, and allow patients to quickly contact your practice and efficiently manage their health information in a secure environment. 

Relying on free video chat options that don’t align with HIPAA rules and regulations, have poor connections, and are susceptible to errors will likely reflect poorly on your practice's reputation. If customers aren’t satisfied with the remote services you provide, they’ll likely leave bad reviews, which will inevitably lead to significant loss of revenue. 

Sub-par solutions that don’t offer EHR integration or simply solve one of your problems — like Slack Enterprise Grid with staff messaging — will lead to your doctors and staff wasting valuable time on answering the phone, sending voice mail reminders, manually entering the data in your EHR, scrambling to find a viable video platform, and figuring out how to share PHI and send visit summaries to patients.

This isn’t only extremely time-consuming — it’s also incredibly stressful. Keep in mind that this is a new work environment for your employees, and stressing over all of these things might have a negative impact on their mental health. That’s why you ideally want a telemedicine solution that mimics the work environment they’re used to and enables them to easily communicate amongst themselves and with patients, without having to worry about the technical aspects of the solution. 

A fully HIPAA compliant solution, like Curogram, takes care of all your business needs and allows you to implement remote services in your practice with ease. Our telemedicine solution enables compliant, modern communication between doctors. 

Curogram also provides a HIPAA compliant platform for secure staff messaging, EHR integration, smart SMS reminders, and a plethora of other useful features that allow you to dedicate more time to your patients. 

Wondering if other solutions are HIPAA compliant?

Are they HIPAA compliant?

Is Zoom HIPAA Compliant?

Is RingCentral HIPAA Compliant?

Is WhatsApp HIPAA Compliant?

Is Google Hangouts HIPAA Compliant?

Is FaceTime HIPAA Compliant?

Is GoToMeeting HIPAA Compliant?

Is Google Voice HIPAA Compliant?

Is HelloFax HIPAA Compliant?

Is eFax HIPAA Compliant?

Is Facebook Messenger HIPAA Compliant?

Is Email HIPAA Compliant?

Is Texting HIPAA Compliant?

Is Skype HIPAA Compliant?

 

Topics: HIPAA, Slack

Patient 2-Way Texting

Curogram provides “All-In-One” texting and HIPAA compliant messaging platform for independent practices, physician groups, and clinically integrated networks.

Subscribe Here!

Recent Posts