Is GroupMe HIPAA Compliant?
GroupMe is not HIPAA compliant and cannot be used to create, collect, store, or transmit Protected Health Information due to its lack of Technical Safeguards. In addition, GroupMe’s owners – Microsoft – will not enter into a Business Associate Agreement with users of the GroupMe service as it is not an “in-scope” service.
GroupMe is a free text messaging service that connects friends, family members, student groups, and/or work colleagues via SMS, IM, audio, and video. Available on Windows desktops, via the Internet, and mobile apps, the service allows users to create groups, invite members, host events, and run polls. Users can also search for and apply to join groups that may be of interest to them.
GroupMe and Protected Health Information
While GroupMe can be used to connect groups of healthcare professionals, it lacks the Technical Safeguards required by the HIPAA Security Rule to protect Protected Health Information from authorized access and disclosures. For example, GroupMe does not allow group moderators to manage access controls, audit logs, or user authentication, and messages are not encrypted at rest or in transit.
Consequently, GroupMe does not fulfil the criteria to be HIPAA compliant and cannot be used to create, collect, store, or transmit Protected Health Information. In addition, Microsoft does not include GroupMe among its list of “in-scope cloud platforms and services” and will not enter into a Business Associate Agreement with GroupMe users. Note: Although it is possible to set up Microsoft Teams calls within the GroupMe app, Teams calls within the app are outside the scope of the Business Associate Agreement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
GroupMe HIPAA Compliant Alternatives
There are many GroupMe HIPAA compliant alternatives that have as much – or more – functionality as GroupMe. For example, some Microsoft 365 and Office 365 plans support HIPAA compliance for Skype and Microsoft Teams. Whether they are suitable GroupMe HIPAA compliant alternatives depends on what they will be used for, while compliance depends on how the services are configured and used.
Businesses looking for non-Microsoft GroupMe HIPAA compliant alternatives can choose from platforms such as Google Meet, Zoom, Constant Contact, or Slack (limited uses only) depending on the use case. In all cases, it will be necessary to subscribe to a business plan that supports HIPAA compliance, configure the platform or service to be used in compliance with HIPAA, and train users on how to use the services in accordance with the Privacy Rule.
Covered entities and business associates requiring advice on how to select an appropriate GroupMe HIPAA compliant alternative should discuss their requirements with an independent expert in HIPAA compliance. Although no group messaging provider offers a free HIPAA compliant solution, an independent expert may be able to identify an existing service that is being underutilized or that could be adopted to support HIPAA compliance.
