Hospital systems are running two parallel messaging universes. Epic's integrated communication tools — MyChart secure messaging, In-Basket, and Haiku mobile alerts — route into Slack workspaces maintained by clinical informatics teams. Meanwhile, the broader enterprise: administration, supply chain, HR, revenue cycle, and increasingly the nursing floors, operates under a Microsoft 365 agreement, with Teams as the default collaboration layer. When an Epic-generated alert needs to reach a care team coordinator who is only in Teams, the message either gets lost, duplicated manually, or crosses the gap through an uncontrolled consumer channel.
That last option is a HIPAA breach waiting to be discovered.
The EHR Alert Routing Problem
Epic generates dozens of alert types that clinical workflows depend on: sepsis risk flags from the Early Warning Score, critical lab value notifications, patient deterioration alerts, code-status change messages, and nurse-call escalations. These alerts are routed through Epic's internal messaging rail or forwarded to integrated platforms via HL7 FHIR-based webhooks.
The gap appears at the boundary. Epic can push a notification to a Slack channel (via an Epic App Orchard connector or a custom webhook). But if the clinician responsible for acting on that alert is in a Teams channel — as is the case for most administrative and inter-departmental coordination — the message stops at the edge of the Slack workspace.
The manual workaround is a clinician switching apps, reading the Slack alert, and re-typing a summary into Teams. That introduces latency, transcription error, and — critically — unauthorized PHI duplication. The person doing the manual re-routing is creating a new PHI artifact outside the BAA-covered system.
PHI Boundaries and the BAA Chain
HIPAA's Security Rule requires that any system that creates, receives, maintains, or transmits electronic Protected Health Information (ePHI) must be covered by a Business Associate Agreement (BAA). This is not limited to EHR systems — it applies to every node in the communication chain that touches ePHI, including the messaging bridge.
The BAA chain must be unbroken. If your Epic alerts contain patient identifiers — even just an MRN, a bed number, or an alert type that implies a diagnosis — and those messages pass through an intermediary that does not have a BAA in place with your covered entity, you have a breach point.
SyncRivo offers a HIPAA BAA for Enterprise-tier customers. The BAA covers the routing function — the path the message takes from one platform to another. Critically, SyncRivo's zero-message-storage architecture means that ePHI is never written to disk during routing. The message is translated and forwarded in memory; no content is persisted at rest. This is a meaningful architectural distinction: most compliance conversations focus on access controls, but HIPAA's Security Rule also requires minimizing the creation of ePHI data stores. A bridge that logs message content to a database — even temporarily — creates a new ePHI repository that must be independently secured and audited.
Nurse Call Coordination Across Slack and Teams
The most operationally acute cross-platform gap in hospital systems is nurse call coordination. In modern acute care facilities, nurse call systems (from vendors like Hill-Rom, Rauland, and Ascom) integrate with Epic and route escalations to mobile devices and messaging platforms. The routing logic is: patient presses call button → nurse call system fires an event → Epic Care Companion or Vocera forwards a message to the nurse's preferred channel.
The problem is that "preferred channel" is not consistent. ICU nurses on a Zoom-heavy unit may have Zoom Team Chat configured as their primary. Floor nurses on a Microsoft-standardized unit get Teams. Travel nurses brought in during capacity events often have neither configured and receive alerts on personal devices.
SyncRivo bridges these platforms so that a nurse-call escalation fired into any of the five supported platforms — Slack, Teams, Zoom, Webex, Google Chat — is simultaneously delivered to all channels mapped to that unit's care team. The sub-100ms delivery SLA is relevant here: a sepsis alert delayed by three seconds because of a platform hop is clinically unacceptable. SyncRivo's routing engine processes the message translation and delivery in under 100 milliseconds end-to-end.
Setting Up a HIPAA-Compliant Bridge
The minimum viable compliant configuration requires:
- BAA execution with SyncRivo before any PHI-containing message routes through the bridge
- PHI scope definition — work with your compliance team to identify which alert types contain ePHI (patient name, MRN, diagnosis, room number, care team assignment) and which are operationally sensitive but not ePHI (staff scheduling, supply requests, general announcements)
- Routing rules scoped to PHI-containing channels — SyncRivo lets you configure separate routing policies for PHI and non-PHI channels, so general hospital communications can use standard routing while clinical alerts use BAA-covered, zero-storage paths
- Audit log review — SyncRivo's immutable routing audit log records sender platform, recipient channel, timestamp, and message metadata (not content) for every routed message. This log is available for HIPAA audit and breach investigation purposes
Identity Proxy in Clinical Settings
One compliance concern in cross-platform clinical messaging is sender identity. If a physician's alert from Epic appears in a Teams channel attributed to "SyncRivo Bot," the receiving clinician does not know who sent the message without additional context. In a clinical handoff, ambiguous sender identity is a patient safety issue.
SyncRivo's identity proxy resolves this. Messages routed from Slack to Teams are attributed to the sender's actual identity in both platforms — "Dr. Sarah Kim (Epic Alert)" rather than a generic bot name. Thread replies in Teams route back to the same Slack thread, maintaining the conversation context for handoff continuity.
See the full implementation guide at SyncRivo for Healthcare and review HIPAA BAA availability on the HIPAA Messaging Integration page.
Ready to connect your messaging platforms?
