The demand for remote healthcare services has increased telehealth and telemedicine uptake among medical practices, prompting them to seek out compatible and convenient communication tools for providers and patients. In their search for the appropriate platform, healthcare professionals encounter a popular software: Slack.
Slack is a powerful communication tool that enables organizations to communicate essential business information among employees effectively. Slack facilitates collaboration, is quick to set up, and is easy to use, attracting more and more businesses to use the platform for internal communication.
However, with the sensitive medical and patient information involved in remote healthcare services and office functions, it's right not to jump in right away and use Slack for telemedicine services. You must first know:
Is Slack HIPAA compliant?
Let's look at Slack and see whether it abides by HIPAA regulations and what complications the application has for telemedicine use.
What does it mean to be HIPAA compliant?
The Health Insurance Portability and Accountability Act (HIPAA) is legislation the United States Congress enacted in 1996 to promote safeguarding protected health information (PHI) while permitting covered entities and their business associates to disclose sensitive medical and patient data.
To be HIPAA-compliant, you must adhere to the rules of HIPAA when managing PHI.
The HIPAA Privacy Rule outlines safety mechanisms covered entities must implement when disclosing PHI without compromising high-quality healthcare. Examples of PHI include:
- Street address
- Telephone numbers
- Fax numbers
- Email addresses
- Social security number
- Biometric identifiers
The HIPAA Security Rule further outlines the protection guidelines for covered entities sharing PHI electronically (ePHI) when using health information technology, such as telemedicine, to deliver healthcare services and improve patient engagement.
HIPAA rules require covered entities and their business associates (BAs) to sign a business associate agreement (BAA) to acknowledge their assurance for the complete protection of PHI/ePHI. The BAA is a written agreement that specifies the parties' responsibilities involved in handling PHI. The HHS audits covered entities, business associates, and subcontractors for HIPAA compliance, and securing a BAA is crucial to the task.
The Omnibus Rule enforces HIPAA compliance of business associates (BAs) and their subcontractors. The rule also empowers the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to perform audits that include stiffer penalties for non-compliant covered entities and business associates.
The HIPAA rules guarantee that covered entities and business associates share ePHI only with patient permission while abiding by the administrative, physical, and technical safeguards that an organization must incorporate into its HIPAA security compliance plan. These safeguards include technology, policies and procedures, and sanctions for non-compliance.
Violating the HIPAA rules does not only cost your practice civil and criminal charges for putting your patient's privacy at risk. It also drags your reputation down and damages your career. HIPAA compliance is non-negotiable when choosing a telemedicine communication platform.
And that leads us back to the initial question of whether Slack is HIPAA compliant and compatible with telemedicine.
How do you make Slack HIPAA compliant?
The standard version of Slack does not comply with any of the HIPAA regulations since it doesn't provide any technical or administrative safeguards. Given the popularity of the platform and Slack's rapid growth, the company decided to develop a different solution geared towards more prominent organizations, including healthcare providers: Slack Enterprise Grid.
Slack Enterprise Grid — an application written using a completely different code than the standard Slack app — is for companies with over 500 employees in mind.
The company's idea was to develop an upgraded version of the existing application that would "meet the rigorous security needs of customers in highly regulated industries," as Geoff Belknap, the chief security officer at Slack, stated back in 2017.
Slack Enterprise Grid’s security features include:
- Data encryption
- Message retention
- Support for audit logs and data loss prevention (DLP)
On paper, these features perfectly align with HIPAA rules and regulations. The Slack Enterprise Grid platform also creates detailed access logs. It allows administrators to remotely terminate connections with the app and sign out specific users when necessary.
Unlike the standard Slack app that requests username and password, the enterprise plan includes two-factor authentication. You can set it up to log you in when you open the app automatically. That resolves the issue of unauthorized access, which may pose a significant risk to the healthcare organization. Without two-factor authentication, other people might have easy access to PHI via employees' phones or computers.
The enterprise platform also creates offsite backups, another HIPAA compliance requirement through the National Institute of Standards and Technology (NIST) standards and service organization controls 2 and 3 (SOC2 and SOC3) auditing procedures.
By taking a deeper look into Slack's enterprise solution, we encounter quite a few grey areas that make its HIPAA compliance complicated. It also becomes evident that Slack Enterprise Grid offers minimal functionality for healthcare organizations' needs.
Slack Enterprise Grid has HIPAA compliance complications.
Slack's Help Center says it all. If you check the requirements and limitations of Slack with HIPAA compliance, you figure out that the enterprise version has many issues.
Let's break down each of these requirements and limitations, so you can better understand their implications and the amount of effort necessary to make Slack HIPAA compliant.
What does switching to the Slack Enterprise Grid plan mean for HIPAA compliance?
The enterprise solution is only available to organizations that, essentially, already pass the following conditions:
- Already use Slack
- Have 250 members on their Slack account
That means Slack Enterprise Grid is out of the question for small and medium-sized practices. However, even if you have over 250 employees, you have to purchase the standard package first and wait for Slack to verify you have 250 active workspace accounts before eligibility for Enterprise Grid.
That adds a step that could take several days, at the very least, before you can even consider fulfilling all the other requirements, like signing a BAA, to make the Enterprise Grid platform from Slack HIPAA compliant.
Signing a business associate agreement with Slack.
You must contact Slack and request to sign a BAA with them before you can start using the platform for handling ePHI.
The BAA states that you — the healthcare provider — are responsible for figuring out solutions for other requirements, like:
- SAML-based SSO
- Audit log solutions
- Data backup archives
If necessary, you have to find third-party providers to fill in these gaps and sign additional BAAs with them.
You may think that Slack handles data loss prevention, but it doesn’t.
When Slack says that the Enterprise Grid version offers support for data loss prevention (DLP), it means it's possible to integrate a third-party DLP solution with the platform. Unlike entirely HIPAA-compliant platforms, such as Curogram, which includes all the required mechanisms and safeguards, Slack Enterprise Grid can merely support these features but does not provide them by default, creating another task you need to take care of before using it for telemedicine.
Slack Enterprise Grid isn't and cannot be fully HIPAA compliant without implementing specific security measures that enable you to make the platform HIPAA compliant. However, it still falls on you as the healthcare provider to figure out how you're setting up solutions to HIPAA requirements that Slack does not provide, complicating the use of the platform for healthcare providers.
The biggest issue with using Slack for telemedicine: You can't communicate with patients via Slack.
The biggest issue with Slack Enterprise Grid lies in that Slack doesn't permit direct communication with patients.
"The only way medical workers can utilize Slack is to exchange medical information amongst themselves, and only as messages and files."
Slack states explicitly that other Slack features, such as voice calls, aren't HIPAA compliant. That means you have to type out all the patient information or visit summary if you want to share it with a colleague via Slack.
Plus, you have to manually input that information into your EHR, meaning you or your office staff spend a better part of your day handling administrative tasks rather than providing care to your patients.
And you have to find a completely different solution than Slack to interact with your patients and go through the entire process of ensuring it's HIPAA compliant before you can promote online scheduling and virtual visits — the cornerstone of telemedicine.
Even if Slack Enterprise Grid could be (in theory) HIPAA compliant, that doesn't mean it's a viable solution for healthcare organizations. Slack is simply a tool for internal communication for large organizations — Slack is not a HIPAA-compliant telemedicine solution for medical practices.
Slack alternatives guarantee HIPAA compliance without giving you a headache during the configuration stage and over limitations for their use as telemedicine platforms.
Why do healthcare providers need to offer remote services?
As technology advances, the needs of customers evolve. Healthcare is no exception — as the popularity of telemedicine increases, patients worldwide expect to easily connect with their healthcare providers online through their smartphones, tablets, and computers.
Whether you want to offer remote services temporarily or want to include virtual visits and online appointment scheduling in your core services, there are a few things to consider when selecting a telemedicine solution.
What to look for in a telemedicine solution?
Healthcare professionals should focus on treating patients rather than solving complex IT riddles and wasting their time on redundant administrative tasks. A telemedicine solution should:
- Be easy for patients to use
- Be easy for medical staff to use
- Have HIPAA-compliant staff messaging
- Mimic the standard work environment
A telemedicine platform should be easy for patients to use.
When choosing a telemedicine solution, consider how your patients interact with it. You want to avoid complex apps that patients might find confusing. There is no need for the application to be fancy and have dozens of different options before scheduling an appointment.
Curogram offers a simpler, faster, more straightforward solution. When a patient schedules an appointment through your website, Curogram enables you to send them a templated text message to confirm their appointment. The templates are easily customizable, and you can adjust them according to your business needs in minutes.
For example, upon receiving the text message, patients can choose whether to come in person or for a virtual appointment. Curogram's messaging platform is fully HIPAA compliant and allows for 2-way text messaging. They receive reminders on their phone and message you back if they wish to reschedule and a link to follow to join the virtual waiting room for online appointments.
A telemedicine solution should be easy to use for providers.
Telemedicine software should be easy to use from the healthcare providers' perspective, providing workflows that closely resemble in-person appointments and enable the doctors, medical assistants, and other medical staff to do their jobs as efficiently as possible.
In a telemedicine solution, you need virtual waiting rooms that enable the medical staff to properly prep and intake the patient before they see the doctor online. That saves time, allowing admittance of 40+ patients a day.
Curogram lets you take care of everything from a single dashboard:
- Communicating with patients before the visit
- Hosting video chats between providers and patients
- Sending intake forms and checking patients in
- Sending visit summaries to patients
Curogram also integrates with over 700 EHRs, meaning all the relevant medical information, including visit summaries, is automatically stored in your electronic health record, so there's no need for double data entry.
Telemedicine solutions should have HIPAA-compliant staff messaging.
Without HIPAA-compliant staff messaging, your employees could share PHI through consumer apps on their phones, which can be extremely risky because of unauthorized access. Plus, these apps may not follow the HIPAA technical safeguards, meaning the possibility of compromised sensitive patient information.
Curogram includes a HIPAA-compliant messaging platform for medical staff, enabling them to share medical information quickly. With Curogram, your employees can:
- Quickly upload medical files and share ePHI in a completely secure environment
- Get in touch with colleagues in seconds, whenever necessary
The platform assigns your practice a local number, so patients receive texts from the same phone number. Staff members can forward messages and requests to their colleagues when their expertise is required to answer customers' questions, ease their concerns, or provide medical advice.
Transition to telemedicine quickly with Curogram.
A fully HIPAA-compliant telemedicine solution, like Curogram, takes care of all your business needs and allows you to implement remote services in your practice with ease. Our telemedicine solution enables the compliant, modern communication that patients want.
Switching to telemedicine or simply integrating remote services can prove challenging for most practices. Sub-par solutions that don't offer EHR integration or address all of your telemedicine needs — like Slack Enterprise Grid — waste your time and cause unwanted stress.
Choose a telemedicine solution that mimics your standard work environment and enables easy communication with patients without having to worry about technical aspects or whether you are adhering to HIPAA regulations.
While Slack may be HIPAA compliant for extremely limited uses, alternatives like Curogram offer a complete telemedicine solution.