HIPAA Apps and Slack App Directory
When it comes to using Slack in a HIPAA-compliant manner, Slack App Directory apps can potentially access PHI depending on their permissions. For this reason, it’s imperative that you have policies in place to comply with HIPAA when using Slack apps and Slack App Directory. Although Slack is generally thought of as a communication tool, it has evolved into a comprehensive workflow platform for highly efficient businesses. Much of Slack’s power comes from using it to connect various SaaS apps and services together. There is significant value in pulling notifications and actions from SaaS apps to Slack, centralizing communications and common workflows to increase efficiency. The way it works in Slack is that apps, sometimes called bots, are connected and installed in Slack. The most common way to connect these third-party apps is through the Slack App Directory. Two of the most common third-party Slack apps are Google Drive and Zoom. The Google Drive app, once installed, sends notifications from Drive files and also allows Slack users to change file permissions in Google Workspace. The Zoom Slack app allows users to start and join Zoom meetings from Slack. These are two popular examples, but there are thousands of integrations that companies leverage daily. Slack apps rely on permissions to perform actions in your Slack workspace. These permissions can include the ability to read user information, channel membership, and sometimes messages within channels. When it comes to using Slack in a HIPAA-compliant manner, Slack App Directory apps can potentially access PHI depending on their permissions. For this reason, it is imperative that you have policies in place to comply with HIPAA when using Slack apps and Slack App Directory. HIPAA 3rd Party RiskHIPAA has many specific things that must be done to comply with its rules, but the overriding requirement is to prevent unauthorized access to protected health information (PHI). If Slack is used to exchange PHI, third-party Slack apps can potentially access those PHI. According to HHS: The Confidentiality Rule requires that a Covered Entity obtain satisfactory assurances from its Business Associate that the Business Associate will appropriately protect Protected Health Information that it receives or creates on behalf of the Covered Entity. This means that if you want to give a third-party Slack app access to PHI, which would happen if a third-party Slack app had access to messages in a channel containing PHI, you must put a business associate agreement in place with these third-party Slack apps before granting them permission to access PHI. Slack app directory apps If you want to use Slack to trade PHI, there are a few things you need to do with your Slack account. Slack is clear on these guidelines. And Slack’s last requirement highlights the above point about third-party Slack apps. required from an application provider before allowing access. Slack is clearly not responsible for the data you share with third-party Slack apps under HIPAA. It is your responsibility to ensure that you have the appropriate protections and safeguards, codified in business associate agreements, with third-party Slack applications that could potentially access PHI. should be considered business associates under HIPAA. HIPAA requires business associates to provide safeguards to protect PHI. These protections are defined in the partner agreements. It’s easier said than done if you don’t have clear policies and training in place on how employees should use Slack to comply with HIPAA. all your third-party Slack apps. This audit should include a review of app permissions or permissions. The easiest way to do this is to go to an app in Slack, click the “about” tab, then click “setup.” This should take you to a webpage that lists all the permissions the app has in your Slack workspace. Under permissions, there is a list of channels the app has access to. And at the bottom, you can delete the app from Slack or specific channels as needed. If you would like to learn more about security and HIPAA compliance for a particular app maker, click on the “security and compliance” tab at the top of the information. You must contact the app maker for an agreement. business associate run for any application that has access to PHI. Unfortunately, this is not a one-time process. Regardless of the rules in place for who can install third-party Slack apps in your workspace, you should regularly audit all of your third-party Slack apps, ideally quarterly. Using Slack to comply with HIPAA is not difficult. However, this requires due diligence of all installed third-party Slack apps and the data they can access. If you want to train employees on how to use Slack to comply with HIPAA, check out Haekka’s HIPAA training for Slack delivered 100% in Slack.
*** This is a syndicated blog from the Security Bloggers Network of Haekka Blog written by Haekka Blog. Read the original post at: https://www.haekka.com/blog/hipaa-and-slack-app-directory-apps