For many organizations, running something like RocketChat inhouse might be an alternative...I mean, how many of Slack's features add most of the value?
Then you have to provision hardware to run it and someone to set it up and admin it. And deal with backups and data retention, etc.
Healthcare IT teams tend to run ridiculously lean. There's a much stronger business case for paying a few bucks per user/month than take up expensive and generally highly limited sysadmin time rolling your own.
Chat's may or may not be deemed business records by a prudent attorney and therefore it may be possible to not retain them for reasons similar to those under which computer logs are not maintained. That might make complying with non-realtime HIPAA requirements simpler.
Relative to IT requirements, the trend is toward much higher ratios of machines to IT staff due to virtualization and orchestration. I suspect that over time, healthcare organizations will get more containers.
Anyway, I was not thinking just about healthcare...nor thinking that lack of slack is one of the significant areas in which improvement is needed in the now.
I think the broader point is that in any industry that's heavily regulated enough that built-in regulatory compliance is a selling point, is it really worth the hassle of taking on that potential liability yourself when it can be outsourced for <$100/year/user?
I have not read the terms and conditions for Microsoft's Office online services, however, I would not expect that Microsoft explicitly assumes much liability for regulatory compliance on behalf of customers under them. I tend to doubt that Microsoft would be a first choice target for litigation by a reasonably prudent lawyer or regulatory body these days.
Anyway, there are organizational cultures where free is almost too much money per employee per year...cause I've worked in a few.
O365 for government can meet far more stringent controls than HIPPA -- which is very easy to target.
I did a very large O365 rollout where Microsoft was willing and able to meet really difficult compliance targets like IRS Pub 1075 and CJIS. They absolutely will meet those and other standards.
That could depend on the lawyers your organization has. Not to say they do or don't include indemnification, but those providers who are capable will often times offer indemnification terms, when they don't do so out of course, if you have the proper team asking for it.
And usually large orgs with those kinds of liability questions will have the necessary resources to make those requests.
If a hosted service is HIPAA compliant, by definition, that means the host is willing to execute a Business Associate Agreement and is directly responsible for various compliance requirements.
