Is Slack HIPAA Compliant? What Healthcare Practices Need to Know

Slack can support HIPAA compliance, but not out of the box. A Business Associate Agreement has to be in place first, and until it is, putting Protected Health Information into Slack is itself the violation.

Yes, conditionally

Slack can support HIPAA-compliant collaboration, but only on Slack Enterprise Grid with a signed Business Associate Agreement. Once the BAA is executed and PHI is used on Enterprise Grid, Slack is deemed a Business Associate.

Plan / requirement: Slack Enterprise Grid (Enterprise plan). You must sign Slack's BAA and list the orgs or workspaces where PHI will be used.

Sources: Slack and HIPAA Configure Enterprise Grid to be HIPAA-compliant. Last verified 2026-06-14.

What HIPAA actually requires here

HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For Slack, that mechanism works like this:

Review and commit to Slack's Requirements for HIPAA Entities guide, sign Slack's BAA, and provide Slack the list of orgs or workspaces that will handle PHI.

The conditions that decide whether you are actually covered:

Slack may not be used to communicate with patients, plan members, or their families or employers.
Patients and members may not be added as users or guests in PHI workspaces.
ePHI is supported in both files and messages on configured Enterprise Grid.

Where the vendor stops and you begin

The most expensive misunderstanding in healthcare practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:

Where responsibility sits
Slack acts as Business Associate on Enterprise Grid once the BAA is signed.
You confine PHI to the listed workspaces and keep patients out of those spaces.
You configure retention, access, and DLP policies inside the Grid.

Compliance review

Not sure your Slack setup holds up to an audit?

Cobrix runs a configuration review against the actual healthcare rules your practice operates under, then fixes what does not pass.

Book a compliance review Call (213) 214-1385

Configuring Slack the right way

A defensible Slack deployment in a healthcare practice comes down to a short, ordered checklist:

Upgrade to Slack Enterprise Grid and sign the BAA.
Provide Slack the list of orgs or workspaces that will use PHI.
Lock those workspaces so external and patient accounts cannot join.
Set message and file retention policies appropriate to your records rules.
Train staff that Slack is for internal coordination, never patient communication.

Mistakes that quietly void compliance

Using a Pro or Business+ plan for PHI. Only Enterprise Grid qualifies.
Messaging patients or adding them as guests in a PHI workspace.
Pasting PHI into a workspace not listed under the BAA.

Where Cobrix fits

Cobrix is a California MSP/MSSP that configures and monitors tools like Slack for healthcare practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.

Free resource

Slack HIPAA setup checklist

The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.

Get the checklist

Frequently asked questions

Is Slack HIPAA compliant?

How do I get a BAA with Slack?

Review and commit to Slack's Requirements for HIPAA Entities guide, sign Slack's BAA, and provide Slack the list of orgs or workspaces that will handle PHI.

What plan do I need for Slack to be HIPAA compliant?

Slack Enterprise Grid (Enterprise plan). You must sign Slack's BAA and list the orgs or workspaces where PHI will be used.

Does a BAA alone make Slack compliant?

No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.