Is Slack HIPAA Compliant? Requirements for Healthcare (2026)

Slack can be HIPAA compliant — but only on one plan: Slack Enterprise Grid. Slack Free, Slack Pro, and Slack Business+ do not qualify for HIPAA compliance under any configuration. Salesforce, Slack's parent company, will not sign a Business Associate Agreement (BAA) for any plan below Enterprise Grid. Without a BAA, transmitting protected health information (PHI) through Slack is a HIPAA violation regardless of how you configure the workspace.

This makes Slack one of the most restrictive major collaboration tools when it comes to healthcare compliance. Enterprise Grid is designed for large organizations with hundreds or thousands of users. For most independent practices — dental offices, therapy practices, small medical groups — it is not a realistic option. But understanding what is required, and why most Slack plans fail, helps you make the right decision about how your team communicates.

What Slack Enterprise Grid Provides

When you are on Enterprise Grid with a signed BAA, Slack provides a set of security and administrative controls that support HIPAA compliance for internal team messaging:

Business Associate Agreement. Salesforce will sign a BAA covering Slack Enterprise Grid. The BAA defines Slack's obligations as a business associate for handling PHI transmitted through channels, direct messages, and file sharing within the platform. This is available exclusively on Enterprise Grid — no other Slack plan qualifies.

Enterprise Key Management (EKM). EKM gives your organization control over the encryption keys used to protect messages and files in Slack. You manage the keys through AWS KMS, meaning you can revoke access to your data at any time without depending on Slack to do it. This is a critical capability for meeting the HIPAA Security Rule's encryption requirements.

AES-256 encryption at rest and TLS 1.2+ in transit. All messages, files, and search indexes stored by Slack are encrypted at rest using AES-256. Data in transit between your devices and Slack's servers is protected by TLS 1.2 or higher. These are baseline encryption standards that satisfy HIPAA's technical safeguard requirements.

Data Loss Prevention (DLP) integrations. Enterprise Grid supports integration with third-party DLP tools that can scan messages and files for PHI patterns — Social Security numbers, medical record numbers, diagnosis codes — and flag or block them before they reach unintended recipients.

eDiscovery and data export. Administrators can export all messages, files, and audit events from every workspace in the organization. This supports HIPAA's requirement for maintaining access to ePHI and producing records when required for compliance audits or OCR investigations.

Granular admin controls across workspaces. Enterprise Grid operates as an organization-level layer above individual workspaces. Org admins can enforce security policies, manage user provisioning, and apply consistent settings across every workspace — something lower-tier Slack plans cannot do.

Audit logging with event API. Enterprise Grid provides detailed audit logs tracking user actions — logins, file downloads, channel access, app installations — accessible through Slack's Audit Logs API. These logs support the HIPAA Security Rule's audit control requirements.

SAML-based SSO and session management. Enterprise Grid supports SAML 2.0 single sign-on, allowing integration with your identity provider. Combined with domain claiming and session duration controls, this ensures only authorized users access PHI-containing workspaces and that sessions expire according to your security policies.

Why Most Slack Plans Fail HIPAA

The gap between Slack Enterprise Grid and every other Slack plan is not incremental. It is structural. The security capabilities that make HIPAA compliance possible on Enterprise Grid simply do not exist on lower tiers.

No BAA available. Salesforce will not sign a BAA for Slack Free, Pro, or Business+. This alone disqualifies these plans. Under HIPAA, any vendor that handles PHI on your behalf must execute a BAA before receiving that data. No BAA means no compliant use — regardless of encryption, passwords, or any other setting you configure.

No Enterprise Key Management. Without EKM, you have no control over the encryption keys protecting your data. Slack holds the keys. You cannot revoke access independently, and you have no mechanism to ensure your data is inaccessible if you terminate the relationship.

Limited admin controls. Pro and Business+ plans provide workspace-level administration, but they lack the organization-level governance layer that Enterprise Grid provides. You cannot enforce consistent security policies across multiple workspaces or manage user access at the scale HIPAA requires.

No DLP capabilities. Without DLP integrations, there is no automated mechanism to detect or prevent PHI from being shared in channels, messages, or files. Staff can paste patient names, diagnosis codes, or insurance information into any channel without the system flagging it.

Limited data retention controls. Lower-tier plans offer basic message retention settings, but they lack the granular retention policies and comprehensive data export capabilities needed for HIPAA compliance documentation and incident response.

The bottom line: the features HIPAA demands are only available on the plan designed for enterprises. That is a deliberate product decision by Salesforce, and it means Slack's HIPAA-compliant offering is priced and scoped for organizations far larger than a typical independent practice.

Settings to Configure on Enterprise Grid

Having Enterprise Grid and a signed BAA is necessary but not sufficient. You still need to configure the platform correctly. These are the settings to apply before any PHI enters the system:

• Execute the BAA with Salesforce/Slack — this must be completed before any PHI is transmitted. The BAA is not automatic with an Enterprise Grid purchase. You must request it, review the terms, and formally execute it.
• Enable Enterprise Key Management — configure EKM with your AWS KMS keys. This gives you direct control over encryption and the ability to revoke access if needed.
• Configure data retention policies — set retention windows appropriate for your compliance requirements. HIPAA requires that ePHI be available for a minimum of six years. Ensure your retention settings do not delete messages or files that may contain PHI before that window closes.
• Restrict file uploads to approved channels — create designated channels for any workflow that may involve PHI and restrict file sharing outside those channels. This limits the surface area for accidental disclosure.
• Disable third-party app integrations without BAAs — every Slack app or integration that could access message content or files must have its own BAA. If it does not, disable it. Bots, workflow automations, and custom integrations all fall under this requirement.
• Enable SSO with MFA — require SAML-based single sign-on with multi-factor authentication for every user. Password-only access does not meet HIPAA's access control requirements.
• Set up DLP policies for PHI patterns — configure your DLP integration to detect and flag common PHI identifiers: names combined with dates of birth, Social Security numbers, medical record numbers, and insurance IDs.
• Restrict external guest access — disable or tightly control Slack Connect and guest accounts. External users who are not covered by your BAA and compliance program should not have access to channels where PHI may be discussed.

These settings should be applied at the organization level by an administrator and documented as part of your compliance program.

The Independent Practice Reality

Here is where the practical analysis matters more than the technical analysis.

Slack Enterprise Grid pricing is not published, but industry benchmarks place it at $20 or more per user per month with annual contracts and minimum seat requirements — often 250 users or more. For a five-person dental office, a ten-provider therapy practice, or a small medical group, Enterprise Grid is not a realistic option. You would be purchasing an enterprise-grade tool designed for organizations like Kaiser Permanente or Cigna and paying accordingly.

This does not mean your practice cannot have HIPAA-compliant team messaging. It means Slack is not the right tool for the job at your scale. Several alternatives are worth evaluating:

Microsoft Teams. Microsoft 365 Business plans (starting at $6/user/month for Business Basic) support BAA execution. The BAA covers Teams, Exchange, SharePoint, and OneDrive — giving you compliant messaging, email, and file storage in a single agreement. For independent practices, this is a significantly more accessible path to compliant team communication.

HIPAA-compliant messaging platforms. Purpose-built platforms designed for healthcare teams — such as TigerConnect, OhMD, or Halo Health — offer HIPAA-compliant messaging with BAAs at price points appropriate for small practices. These platforms are designed specifically for clinical communication workflows.

Patient Protect. Patient Protect includes HIPAA-compliant secure messaging as part of the platform, starting at $39/month. It is built specifically for independent practices that need compliant communication without the overhead of enterprise licensing.

The right choice depends on your practice size, your existing tooling, and your budget. The wrong choice is using a non-compliant Slack plan and hoping no one notices.

Common Mistakes with Slack and HIPAA

These are the errors that create real compliance exposure — and they happen more often than most practice owners realize.

Using Slack Pro or Business+ and assuming it is compliant. This is the most common mistake. Practices see that Slack uses encryption and assume encryption equals compliance. It does not. Without a BAA, encryption is irrelevant to HIPAA compliance. The BAA is the threshold requirement, and it is only available on Enterprise Grid.

Discussing patient cases in Slack channels without a BAA in place. Internal Slack channels feel private. They are not. Any discussion that includes patient names, conditions, treatment details, or other PHI in a Slack workspace without a BAA is an unsecured disclosure of ePHI. Every message is a separate violation.

Staff using personal Slack workspaces for practice communication. When your practice does not provide a sanctioned communication tool, staff improvise. Personal Slack accounts, text messages, and consumer messaging apps become the de facto communication layer. None of them have BAAs. All of them create exposure.

Not restricting third-party Slack apps and integrations. Slack's app marketplace includes thousands of integrations — project management tools, file converters, scheduling bots, AI assistants. Each one that accesses message content or files is a potential business associate under HIPAA. Unvetted integrations are uncontrolled data exposure.

Sharing PHI in direct messages thinking DMs are private enough. Direct messages in Slack are not end-to-end encrypted. Slack can access them. Without a BAA, that access is an unauthorized disclosure. Privacy is not the same as compliance, and "private enough" is not a HIPAA standard.

Frequently Asked Questions

Is Slack Free HIPAA compliant?

No. Slack Free does not support a Business Associate Agreement, does not offer Enterprise Key Management, and does not provide the administrative controls required by the HIPAA Security Rule. Using Slack Free to transmit any protected health information is a HIPAA violation.

Does Slack sign a BAA?

Yes, but only for Slack Enterprise Grid. Salesforce will not sign a BAA for Slack Free, Pro, or Business+ plans. The BAA must be specifically requested and executed as part of your Enterprise Grid deployment — it is not automatic.

Can I use Slack for patient communication?

Slack is designed for internal team messaging, not direct patient communication. Even on Enterprise Grid with a BAA, using Slack as a patient-facing communication tool introduces risks that the platform was not designed to address — including patient identity verification, consent management, and access controls for external users.

Which Slack plan is HIPAA compliant?

Only Slack Enterprise Grid supports HIPAA compliance. This requires a signed BAA with Salesforce, Enterprise Key Management enabled, and the administrative settings outlined above properly configured. No other Slack plan qualifies.

Is there a HIPAA-compliant Slack alternative for small practices?

Yes. Microsoft Teams supports BAA execution on business plans starting at $6/user/month. Purpose-built healthcare messaging platforms like TigerConnect and OhMD offer compliant communication designed for clinical teams. Patient Protect includes secure messaging as part of its compliance platform starting at $39/month. Any of these are more practical for independent practices than Slack Enterprise Grid.

---

Patient Protect tracks your full compliance posture, including vendor BAAs and communication tool configurations, starting at $39/month.