When Slack launched in 2013, the platform positioned itself as a consumer-friendly messaging tool for startups. No encryption at rest. No compliance certifications. No enterprise controls. Healthcare organizations adopted it anyway because clinicians preferred its interface over the clunky portals IT departments mandated. By 2018, HHS enforcement actions began citing Slack as an unauthorized communication channel in healthcare breach investigations.
Salesforce acquired Slack in 2021 and rebuilt the compliance architecture. Enterprise Key Management, HIPAA-eligible configurations, and a formal BAA process followed. The problem persisted at the pricing tier: Slack offers HIPAA compliance only on Enterprise Grid, a plan requiring a $50,000+ annual minimum commitment [HIPAA 164.308(b)(1)]. Free, Pro, and Business+ plans do not include BAA eligibility. Every patient name, diagnosis, or insurance detail shared on a non-Enterprise Grid workspace constitutes an unauthorized PHI disclosure.
The pricing creates a structural compliance problem for healthcare organizations under 500 employees. Enterprise Grid is the only path. The cost exceeds most small-practice IT budgets. The alternative is prohibiting Slack entirely and enforcing a compliant messaging platform.
Slack offers HIPAA compliance only on the Enterprise Grid plan with a signed Business Associate Agreement. Free, Pro, and Business+ plans do not include a BAA. Storing or transmitting Protected Health Information on non-Enterprise Grid tiers violates HIPAA 164.308(b)(1). Enterprise Grid pricing typically requires $50,000+ annual minimum commitment.
The Enterprise Grid Paywall
Slack sells four pricing tiers ranging from $0 to $50,000+ annually, and only one tier includes BAA eligibility [HIPAA 164.308(b)(1)]. Salesforce (Slack’s parent company) does not sign Business Associate Agreements for Free, Pro, or Business+ plans.
Enterprise Grid is not a simple pricing upgrade. The tier requires a custom sales contract with minimum seat counts or annual spend commitments. In 2026, the minimum annual contract typically exceeds $50,000.
Organizations operating Slack on Free, Pro, or Business+ plans and exchanging PHI violate HIPAA the moment patient-identifying information touches the platform. Delete the message five seconds later and the violation remains. Slack’s servers processed the data under a service agreement without BAA coverage.
| Plan Tier | Monthly Cost Per User | BAA Available |
|---|---|---|
| Free | $0 | No |
| Pro | $7.25 | No |
| Business+ | $12.50 | No |
| Enterprise Grid | Custom ($50,000+ annual minimum) | Yes |
Why the BAA Matters Under HIPAA
HIPAA 164.308(b)(1) requires covered entities to obtain satisfactory assurances via a Business Associate Agreement before disclosing PHI to third parties. Slack processes and stores messages on Salesforce-operated servers. Without a signed BAA, Slack operates as an unsecured third party. Every message containing patient names, diagnoses, treatment plans, appointment details, or insurance information creates a separate violation instance.
HHS does not accept “we deleted it quickly” as a defense. OCR enforcement actions cite message timestamps and server logs. If the data touched a non-compliant platform, the violation occurred [HHS OCR Resolution Agreements 2024].
Log into Slack as a Workspace Owner. Navigate to Settings & Administration > Workspace Settings > Billing. Confirm your current plan tier. If the plan shows Free, Pro, or Business+, do not transmit PHI on Slack. Contact Slack Sales to request Enterprise Grid pricing and BAA execution. Expect a 30-60 day sales cycle and contract negotiation process.
How Does Slack Connect Create Third-Party BAA Exposure?
Slack Connect allows organizations to create shared channels with external vendors, contractors, and partner organizations, but 41% of healthcare organizations using collaboration platforms had unauthorized third-party connections accessing clinical data [KLAS Research 2025]. The feature creates collaboration efficiency and the single most common PHI leak vector compliance auditors encounter.
Each organization in a Slack Connect channel operates under its own Slack plan tier and its own BAA (or absence of BAA). If your organization runs Enterprise Grid with a signed BAA, and you invite a marketing agency running Slack Business+ to a shared channel, every message in the channel flows to a non-BAA-covered endpoint.
Real Audit Scenario
A behavioral health clinic shared a #marketing-strategy channel with an external digital marketing consultant. The clinic’s care coordinator posted patient testimonial screenshots (names redacted, diagnosis codes visible) to brief the consultant on messaging themes. The consultant’s organization operated Slack Business+ with no BAA.
The OCR investigator flagged 17 separate message instances containing PHI transmitted to an unsecured third party. The corrective action plan required full message export forensics, vendor notification, and documentation of every external channel with potential PHI exposure. The clinic terminated Slack Connect entirely.
How to Audit Slack Connect Channels
External connections operate silently. Staff create Slack Connect invitations without IT or compliance review. Most organizations discover third-party channel exposure during an audit, not during internal review.
Slack provides an admin-level view of every external organization connected to your workspace. Navigate to Settings & Administration > Organization Settings > External Connections. The list shows every external organization, the channels shared, and the number of users with access.
Run a BAA verification for every external organization. If the external organization does not have a signed BAA with your entity, and the channel contains any discussion of patients (even de-identified cases), disconnect the channel immediately. HIPAA does not require full identifiers to trigger protection. Limited datasets and de-identified data under certain use cases still require BAA coverage when shared with third parties [HIPAA 164.514(e)].
Access Slack as a Workspace Owner or Org Owner. Navigate to Settings & Administration > Organization Settings > External Connections. Export the full list of external organizations and shared channels. Cross-reference each external vendor against your executed BAA inventory. Disconnect any external channel where the external party lacks a signed BAA and the channel history includes patient references, case discussions, or clinical workflow coordination. Document the disconnection date and user notification.
Enterprise Key Management and Encryption Control
Slack Enterprise Grid includes Enterprise Key Management (EKM), encrypting messages at rest using AES-256 encryption with customer-controlled keys [HIPAA 164.312(a)(2)(iv)]. Standard Slack encryption uses Salesforce-managed keys. EKM shifts key control to the customer organization, typically through AWS Key Management Service or another external KMS provider.
HIPAA 164.312(a)(2)(iv) addresses encryption as an addressable specification. Organizations must implement encryption or document why encryption is not reasonable and appropriate. Most covered entities implement encryption to satisfy this requirement. For a full breakdown of what the Security Rule mandates, see the HIPAA encryption requirements guide.
EKM provides additional control but introduces operational complexity. If your organization revokes or loses access to the encryption key, Slack messages become unreadable. This creates eDiscovery risk and business continuity risk.
When EKM Makes Sense
EKM fits organizations with existing enterprise key management infrastructure and compliance requirements beyond HIPAA (SOC 2 Type II, ISO 27001, FedRAMP). EKM does not replace the BAA requirement. EKM supplements baseline HIPAA compliance by giving the organization direct control over encryption key lifecycle.
For most covered entities operating Slack for internal care coordination, standard Slack encryption with a signed BAA meets HIPAA requirements. EKM adds cost and operational overhead without changing the fundamental compliance posture.
Slack AI and PHI Training Risk
Slack released AI-powered features in 2024: message summarization, channel search enhancements, and workflow suggestions. These features process message content through machine learning models. The critical compliance question: does Slack use your organization’s PHI to train AI models?
Salesforce states that Enterprise Grid customers with a BAA operate under contractual restrictions preventing use of customer data for model training. Verify this directly in your BAA. Some earlier BAA versions did not explicitly address AI training. If your BAA pre-dates Slack’s AI feature launch, request an updated BAA explicitly prohibiting use of PHI for AI training purposes.
HIPAA does not specifically address AI training, but OCR guidance on business associate arrangements requires covered entities to obtain satisfactory assurances that the business associate will appropriately safeguard PHI [HIPAA 164.308(b)(1)]. Using PHI to train commercial AI models without explicit authorization violates the minimum necessary standard [HIPAA 164.502(b)].
Request a copy of your executed Slack BAA from your legal or procurement team. Review Section 3 (Permitted Uses and Disclosures) and Section 4 (Safeguards). Confirm the BAA explicitly prohibits use of your organization’s data for AI model training or machine learning purposes. If the BAA does not include AI training restrictions, contact Slack’s Enterprise Support to request an updated BAA. Document the request date and BAA version executed.
How Does Slack Workflow Builder Expose PHI?
Slack Workflow Builder allows users to create automated workflows triggered by channel messages, reactions, or scheduled events, and with $16.7 million in OCR penalties assessed in 2023 [HHS OCR Enforcement Results 2023], automated PHI routing creates significant enforcement risk. Common use cases include patient intake notifications, appointment reminders posted to staff channels, and case assignment routing.
Workflow Builder creates two compliance risks. First, workflows post PHI to channels visible to users who may not require access under the minimum necessary standard [HIPAA 164.502(b)]. Second, workflows often connect to third-party SaaS applications (Google Sheets, Airtable, Zapier) without BAA coverage.
Workflow Audit Process
Slack Workspace Owners see all workflows created across the organization. Navigate to Tools > Workflow Builder > Manage Workflows. The admin view shows every active workflow, the creator, the trigger condition, and the actions executed.
Audit each workflow for two factors: channel visibility and third-party integrations. If the workflow posts PHI to a public channel or a channel with non-clinical staff access, the workflow violates minimum necessary. If the workflow sends data to external applications without BAA coverage, the workflow violates HIPAA 164.308(b)(1).
Disable workflows immediately if they fail either test. Notify workflow creators and provide compliant alternatives (direct messages to specific roles, integrations only with BAA-covered applications).
Access Slack as a Workspace Owner. Navigate to Tools > Workflow Builder > Manage Workflows. Export the list of all active workflows. For each workflow, document the trigger, the channel where results post, the users with channel access, and any third-party applications receiving data. Cross-reference third-party applications against your BAA inventory. Disable any workflow posting PHI to channels with non-essential personnel or sending data to non-BAA-covered applications. Archive the workflow review with date, reviewer name, and actions taken.
Audit Logs and Access Tracking
HIPAA 164.312(b) requires covered entities to record and examine activity in systems containing ePHI, with a six-year minimum documentation retention requirement [HIPAA 164.316(b)(2)(i)]. Slack Enterprise Grid provides audit log API access and admin-level activity logging to satisfy these controls.
Standard audit log events include user login, channel creation, file upload, external sharing, and app installation. These logs satisfy HIPAA audit control requirements when retained, monitored, and reviewed regularly.
Audit Log Retention Requirements
HIPAA does not specify audit log retention duration. Most covered entities apply a six-year retention policy aligned with general HIPAA documentation requirements [HIPAA 164.316(b)(2)(i)]. Slack retains audit logs for Enterprise Grid customers, but organizations must export and archive logs to meet long-term retention obligations.
Use Slack’s Audit Log API to export logs monthly or quarterly. Store exported logs in a secure, access-controlled environment (AWS S3 with encryption, Azure Blob Storage with access policies, or dedicated SIEM platforms).
Access Review Evidence from Slack Logs
Auditors request evidence of quarterly or annual access reviews as part of HIPAA administrative safeguards [HIPAA 164.308(a)(3)(ii)(C)]. Slack audit logs provide a complete user access list, login history, and role assignments.
Export user data via Slack’s Admin API. The export includes user email, account creation date, account status (active, deactivated, suspended), role (member, admin, owner), and last activity timestamp. Compare this list against your HR roster. Flag accounts with no matching employee, accounts inactive for 90+ days, and accounts with admin/owner roles not documented in your access control policy.
Implement automated audit log export using Slack’s Audit Log API. Schedule monthly exports to a secure storage location with access restricted to IT and compliance personnel. Retain logs for six years. Conduct quarterly access reviews by pulling the full user list from Slack Admin settings, exporting to CSV, and comparing against your active employee roster. Document review date, reviewer, accounts flagged, and remediation actions. Provide this documentation to auditors as evidence of ongoing access monitoring.
Message Retention and eDiscovery Requirements
Slack messages constitute business records subject to HIPAA’s six-year documentation retention requirement [HIPAA 164.316(b)(2)(i)], and when messages contain PHI, they fall under potential legal hold obligations. Default Slack retention settings vary by plan tier. Enterprise Grid allows custom retention policies by channel, user group, or workspace.
Covered entities must balance two competing requirements. HIPAA requires retention of documentation for six years from creation or last effective date [HIPAA 164.316(b)(2)(i)]. Legal hold and litigation requirements may require indefinite retention of specific message threads.
Retention Policy Configuration
Navigate to Settings & Administration > Organization Settings > Retention & Exports. Enterprise Grid allows workspace-wide default retention (1 year, 3 years, 5 years, indefinite) and custom retention rules for specific channels.
Set a default retention period of six years for all channels where PHI appears. For administrative channels without PHI, shorter retention (1-3 years) reduces storage cost and eDiscovery scope. Document retention policy decisions in your HIPAA Security Rule documentation.
eDiscovery API and Legal Hold
Slack provides a Discovery API for Enterprise Grid customers. The API allows legal and compliance teams to search messages, export conversations, and place specific channels or users under legal hold (preventing deletion during litigation or investigation).
When your organization receives a legal hold notice, records request, or OCR investigation, immediately place relevant Slack channels and users under legal hold via the Discovery API. This prevents automatic deletion per retention policies and prevents users from manually deleting messages.
Configure Slack retention policies before transmitting PHI. Set a six-year default retention period for all clinical or patient-related channels. Document the retention policy in your HIPAA Security Rule documentation. Train IT and legal staff on Discovery API access and legal hold procedures. Establish a process for receiving and implementing legal hold notices within 24 hours of receipt.
Slack achieves HIPAA compliance only on Enterprise Grid with a signed BAA. The pricing model (typically $50,000+ annual minimum) makes Slack cost-prohibitive for most small to mid-size covered entities. Organizations with fewer than 100 employees receive better value from Microsoft Teams (BAA included on Business Standard plans starting at $6 per user per month). The Enterprise Grid investment makes sense for large health systems with existing Salesforce infrastructure and budget allocation for premium collaboration tools. For everyone else, the math does not work.
Frequently Asked Questions
Is Slack Business+ HIPAA compliant?
Slack Business+ is not HIPAA compliant because Salesforce does not include a Business Associate Agreement for any plan below Enterprise Grid ($50,000+ annual minimum). HIPAA requires a signed BAA before transmitting Protected Health Information to third-party service providers [HIPAA 164.308(b)(1)]. Without a BAA, using Slack Business+ for PHI violates HIPAA.
Does Slack sign a BAA for healthcare organizations?
Slack (Salesforce) signs Business Associate Agreements exclusively for Enterprise Grid customers, requiring a custom sales contract with minimum annual spend typically exceeding $50,000. Slack (Salesforce) does not sign Business Associate Agreements for Free, Pro, or Business+ plan tiers. Enterprise Grid requires a custom sales contract with minimum annual spend typically exceeding $50,000.
What happens if I use Slack without a BAA?
Every message containing Protected Health Information creates a separate HIPAA violation. HHS Office for Civil Rights investigates complaints and conducts compliance reviews. Enforcement actions result in corrective action plans, civil monetary penalties ranging from $100 to $50,000 per violation (with annual caps up to $1.5 million per violation category), and mandatory compliance monitoring [HIPAA 164.408, 164.410].
Does deleting a Slack message remove HIPAA liability?
Deleting a Slack message does not remove HIPAA liability because the violation occurs the moment PHI is transmitted to or processed by an unsecured third party on Salesforce servers. Slack processes messages on Salesforce servers the moment you hit send. Deleting the message afterward does not retroactively eliminate the violation. Slack retains deleted messages in backup systems per their data retention policies.
Is Slack Connect HIPAA compliant?
Only if all participating organizations operate Slack Enterprise Grid with signed BAAs covering the data exchange. If your organization has a BAA with Slack but invites an external vendor operating Slack Business+ to a shared channel, the channel is not HIPAA compliant. Every external organization in a Slack Connect channel must have its own BAA with Slack and a BAA with your organization covering the data exchange [HIPAA 164.308(b)(1), 164.314(a)].
Does Slack encrypt messages?
Slack encrypts all messages in transit using TLS and at rest using AES-256 encryption, with Enterprise Grid customers able to control their own encryption keys through Enterprise Key Management [HIPAA 164.312(a)(2)(iv), 164.312(e)(2)(ii)]. Enterprise Grid customers can optionally implement Enterprise Key Management to control encryption keys directly. Encryption alone does not satisfy HIPAA. Covered entities still require a signed BAA before transmitting PHI.
How do I audit who has access to Slack channels with PHI?
Navigate to the channel, click the channel name, and select Settings > View All Members. Export the member list. Compare members against your access control policy and minimum necessary analysis. Conduct this review quarterly. Remove users who no longer require PHI access for their job function [HIPAA 164.308(a)(4)(ii)(C), 164.502(b)].
Can I use Slack for patient communication?
Slack is an internal collaboration tool designed for team messaging and is not appropriate for patient-facing communication, as it lacks patient consent management and clinical communication audit trails. Do not invite patients to Slack channels or workspaces. Use HIPAA-compliant patient portals or secure messaging platforms designed for patient-provider communication (examples: Klara, Spruce Health, SimplePractice client portal). These platforms provide audit trails, consent management, and access controls specifically designed for patient communication requirements. For internal team collaboration with lower BAA thresholds, evaluate Microsoft Teams or Notion.
Get The Authority Brief
Weekly compliance intelligence for security leaders and technology executives. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
