HIPAA & BAA · Team messaging & collaboration
Is Slack HIPAA compliant?
Conditionally. Slack (via Salesforce) signs a BAA only for Enterprise Grid and only for internal workforce use; lower Slack plans are not eligible and patients may not be added as users or guests.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Slack Enterprise Grid only; you must execute Slack's BAA, commit to the 'Slack Requirements for HIPAA Entities,' and provide the list of orgs/workspaces used for PHI. Plans below Enterprise Grid are not eligible.
- Official source: Slack Help — Slack and HIPAA — https://slack.com/help/articles/360020685594-Slack-and-HIPAA (verified 2026-06)
How to use Slack in a HIPAA-compliant way
- Move to or purchase Slack Enterprise Grid.
- Review and commit to implementing the 'Slack Requirements for HIPAA Entities' guide.
- Execute Slack's standard BAA and provide Slack the list of orgs/workspaces that will handle PHI.
- Configure retention, DLP, encryption key management, access controls, and restrict approved apps/integrations.
- Train workforce that Slack is for internal use only — never communicate with patients/members through it.
Important caveats
- Only Enterprise Grid is covered; Free, Pro, and Business+ plans cannot be made HIPAA-compliant.
- Slack may not be used to communicate with patients/members, and they may not be added as users or guests.
- Coverage requires following Slack's HIPAA requirements guide and applying your own configuration and safeguards.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Slack correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Slack.
Frequently asked questions
Does Slack sign a BAA?
On specific plans. Slack Enterprise Grid only; you must execute Slack's BAA, commit to the 'Slack Requirements for HIPAA Entities,' and provide the list of orgs/workspaces used for PHI. Plans below Enterprise Grid are not eligible. A signed BAA is required before any PHI is involved.
Is Slack HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Slack offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Slack with PHI?
Only Enterprise Grid is covered; Free, Pro, and Business+ plans cannot be made HIPAA-compliant.
