Application Security

HIPAA and Slack App Directory Apps

HIPAA and Slack App Directory Apps
Written by ga_dahmani
HIPAA and Slack App Directory Apps

When it comes to using Slack in a HIPAA-compliant manner, apps in the Slack app directory can potentially access PHI based on your permissions. Because of this, it’s imperative that you set policies to be HIPAA compliant when using the Slack and Slack App Directory apps. Although Slack is often seen as a communication tool, it has become a complete workflow platform for highly efficient businesses. Much of the power of Slack comes from using it to connect various apps and SaaS services to each other. There is significant value in sending notifications and actions from SaaS apps to Slack, centralizing communications and common workflows to increase efficiency. The way this works in Slack is that apps, sometimes called bots, are connected to and installed in Slack. The most common way to connect these third-party apps is through the Slack app directory. Two of the most common third-party Slack apps are Google Drive and Zoom. The Google Drive app, once installed, sends notifications from Drive files and also allows Slack users to modify file permissions within the Google workspace. The Zoom Slack app allows users to start and join Zoom meetings from within Slack. These are two popular examples, but there are thousands of integrations that businesses take advantage of on a daily basis. Slack apps rely on permissions to perform actions in your Slack workspace. These permissions may include the ability to read user information, channel membership, and sometimes messages within channels. When it comes to using Slack in a HIPAA-compliant manner, apps in the Slack app directory can potentially access PHI based on your permissions. Because of this, it’s imperative that you implement HIPAA-compliant policies when using the Slack apps and Slack App Directory. HIPAA Third Party Risk HIPAA has many specific things that must be done to comply with its rules, but the general requirement is to prevent unauthorized access to protected health information (PHI). If Slack is used to exchange PHI, third-party Slack applications may access that PHI. According to HHS: The Privacy Rule requires a covered entity to obtain satisfactory assurances from its business associate that the business associate will adequately protect protected health information it receives or creates on behalf of the covered entity. This means that if you want to give a third-party Slack app access to PHI, which would be the case if a third-party Slack app has access to messages in a channel that contains PHI, then you must put a business associate agreement in place with those third-party Slack apps. third-party Slack apps before granting them permission to access PHI. Apps from the Slack App Directory If you want to use Slack to exchange PHI, there are a few things you need to do with your Slack account. Slack is clear about these guidelines. And the latest Slack requirement highlights the earlier point about third-party Slack apps. Slack does not have a business partner agreement with any third-party application providers, including those found in the Slack Application Directory, so it is your responsibility to determine if an agreement is necessary with an application provider before enabling the access. Slack is clearly not responsible for the data it shares with third-party Slack apps under HIPAA. It is your responsibility to ensure that you have adequate protections and safeguards, codified in business associate agreements, with third-party Slack applications that could potentially access PHI. Slack App Directory Apps as Business Partners Third-party Slack apps that have access to channels containing PHI must be considered business partners under HIPAA. HIPAA requires business associates to provide security measures to protect PHI. These protections are defined in trading partner agreements. This is easier said than done if you don’t have clear policies and training on how employees should use Slack to be HIPAA compliant. Protect apps in the Slack app directory for HIPAA If you use Slack for HIPAA compliance, the first step is to audit all of your third-party Slack apps. This audit should include a review of application permissions or authorizations. The easiest way to do this is to go to an app in Slack, click the “about” tab, and then click “settings.” This should take you to a web page that lists all the authorizations the app has in your Slack workspace. Below the permissions, there is a list of the channels the app has access to. And at the bottom, you can remove the app from Slack or from specific channels as needed. If you are interested in learning more about security and HIPAA compliance for a particular app maker, please click the “security and compliance” tab at the top to view additional information. information. You must contact the application manufacturer to obtain an executed business associate agreement for any application with access to PHI. Unfortunately, this is not a one-time process. Regardless of the rules in place about who can install third-party Slack apps in your workspace, you should audit all of your third-party Slack apps on a regular basis, ideally quarterly. Using Slack to comply with HIPAA is not difficult. But it does require due diligence on all third-party Slack apps that are installed and what data they can access. If you want to train employees on how to use Slack for HIPAA compliance, check out Haekka’s HIPAA Training for Slack course, delivered 100% in Slack.

*** This is a syndicated Security Bloggers Network blog from haekka-blog written by Haekka Blog. Read the original post at:

About the author


Leave a Comment