Is Slack HIPAA compliant? Only on Slack Enterprise Grid. Slack Free, Pro, and Business+ plans do not qualify. Salesforce, Slack's parent company, only signs a Business Associate Agreement for Enterprise Grid customers - and even then, Slack cannot be used for patient-facing communication.
Slack is a popular internal messaging tool, and some healthcare organizations use it for team coordination. But most practices do not realize that HIPAA compliance on Slack is limited to a single, expensive plan with significant restrictions.
Which Slack Plans Support HIPAA Compliance?
Only one plan qualifies:
- Slack Enterprise Grid - BAA available, custom pricing through Salesforce sales
The following plans do not qualify:
- Slack Free - no BAA, no HIPAA compliance possible
- Slack Pro - no BAA available
- Slack Business+ - no BAA available
This is a critical distinction. Unlike Zoom (BAA on Pro and above) or Microsoft Teams (BAA included in Business Basic and above), Slack restricts its BAA to the enterprise tier only. For most small and mid-sized healthcare practices, Enterprise Grid is not accessible - it requires a sales conversation with Salesforce and carries enterprise-level pricing.
What Slack's BAA Covers
When configured for HIPAA compliance on Enterprise Grid, teams can share PHI within:
- Direct messages
- Group messages
- Channel messages
- File uploads
However, Slack imposes a significant restriction that most other platforms do not: Slack cannot be used to communicate with patients, plan members, or their families. Patients cannot be added as users or guests to any Slack workspace or channel. This means Slack is strictly an internal staff communication tool - not a patient-facing platform.
How to Get a BAA from Slack
The BAA must be executed through Salesforce's sales process. There is no self-service option. Your organization must:
- Contact Salesforce sales and request Slack Enterprise Grid
- Execute the BAA as part of the enterprise agreement
- Enable HIPAA compliance mode in the Slack admin settings
- Configure required security settings before allowing PHI in messages
Once the BAA is in place and HIPAA mode is enabled, certain features may be restricted or require specific configuration to maintain compliance.
Required Security Configuration
Enterprise Grid includes security features that support HIPAA compliance when configured properly:
- Enterprise Key Management (EKM) - gives your organization control over encryption keys
- Data Loss Prevention (DLP) integrations to monitor for PHI in messages
- Single Sign-On (SSO) and multi-factor authentication
- Custom data retention policies for message and file retention
- Audit logs through the Slack Audit Logs API
- SCIM provisioning for automated user management
These controls map to the HIPAA Security Rule requirements for access controls, audit controls, and transmission security under 45 CFR §164.312.
Why Most Healthcare Practices Should Not Use Slack for PHI
For most small and mid-sized practices, Slack is not the right tool for HIPAA-covered communications. Here is why:
Cost barrier. Enterprise Grid pricing is designed for large organizations. Most practices with 5 to 50 staff members will find this cost prohibitive compared to alternatives.
No patient communication. Unlike Zoom or Teams, Slack explicitly prohibits patient-facing use. If your practice needs a communication tool that works for both staff coordination and patient interactions, Slack does not qualify.
Alternatives are more accessible. Zoom offers BAAs starting at the Pro level. Microsoft Teams includes BAA coverage on Business Basic plans. Both are far more accessible for small practices than Slack Enterprise Grid.
If your organization already uses Slack Enterprise Grid for other business reasons and wants to extend it to healthcare communications, the HIPAA path exists. But choosing Slack specifically for HIPAA compliance when cheaper, more capable alternatives exist does not make practical sense for most practices.
What to Use Instead
If your practice needs a HIPAA-compliant messaging and collaboration tool, consider:
- Microsoft Teams - BAA included automatically on Business Basic and above, covers chat, video, and file sharing
- Google Chat (via Google Workspace) - covered under Google's BAA for paid Workspace plans
- Zoom Team Chat - covered under Zoom's BAA for paid plans
For a broader look at HIPAA-compliant communication options, see our guide on HIPAA email compliance and HIPAA texting rules.
Can I use Slack Pro for internal messages that do not contain PHI?
Yes. If no PHI is discussed, the BAA requirement does not apply. However, enforcing a "no PHI in Slack" policy is difficult in practice. Staff may inadvertently share patient names, diagnoses, or appointment details in messages. If your team uses Slack Pro, you need a clear written policy and staff training defining what can and cannot be discussed.
Does Slack encrypt messages?
Slack encrypts data in transit and at rest on all plans. Enterprise Grid adds Enterprise Key Management (EKM), which gives your organization control over the encryption keys. Standard encryption on lower plans meets basic security standards but is not sufficient for HIPAA compliance without a BAA.
Is Slack Connect HIPAA compliant?
Slack Connect allows messaging between different organizations. Using it for PHI requires both organizations to have Enterprise Grid with BAAs in place and both configured for HIPAA compliance. In practice, this adds significant complexity and risk. Most healthcare organizations should avoid sharing PHI through Slack Connect.
What happens if we discuss PHI on Slack without a BAA?
Discussing PHI on any Slack plan without a BAA is a potential HIPAA violation. The PHI has been disclosed to a vendor (Salesforce/Slack) without the contractual protections HIPAA requires. If a breach occurs, your practice has no contractual recourse and may face OCR enforcement.