GroupMe, a chat messaging app acquired by Microsoft, lets you create groups to send text, polls, and multi-media files. User-friendly and free, it’s a popular alternative to Facebook Messenger.
Given the app’s convenient features, can healthcare workers also use it to exchange messages and send files? Is it safe enough to handle sensitive health information? Is GroupMe HIPAA compliant?
Let’s discuss GroupMe HIPAA compliance and its importance.
Table of Contents
GroupMe Compliance: Data Privacy and HIPAA Issues
GroupMe, now a part of Microsoft’s communication and productive tools, has its privacy statement on the Microsoft Support page. On the said page, you’ll find information about how the app keeps personal details such as phone numbers and email addresses private from other group members. Only group members’ avatars and names are viewable.
Microsoft’s Privacy Statement explains that the company collects personal data from your interactions and direct input to troubleshoot and improve products. However, you can decline to provide this data. In exchange, the product may not function fully. Signing into a Microsoft account may also share your data with third-party services.
It’s understandable to be worried that your interactions in an app like GroupMe might be exposed to third parties and result in a HIPAA violation. However, some Microsoft products enable HIPAA compliance, and you can even request the company to issue a Business Associate Agreement (BAA).
The question is, is GroupMe among these products?
Is GroupMe HIPAA Compliant?
No, the Microsoft-owned mobile messaging app is not HIPAA compliant.
The Microsoft Compliance page does not include GroupMe in its list of in-scope services that help you meet compliance standards in regulated industries such as healthcare.
Here are some HIPAA features that are notably missing from GroupMe:
Business Associate Agreement
Microsoft won’t provide a BAA for GroupMe. Any software or service provider that handles protected health information (PHI) on behalf of a covered entity (i.e., clinics and healthcare institutions) should sign a BAA. Without it, you risk violating HIPAA rules.
Inadequate access controls
Access controls such as two-factor or multi-factor authentication and role-based access help keep your data private. There’s a higher risk of divulging PHI to unauthorized persons without these additional layers of security. While GroupMe won’t let you sign in without a password and does not show your personal details to group members, its inadequate technical safeguards can still leave your data vulnerable to breaches.
Unclear data storage practices
Microsoft emphasizes the simple and quick functionality of GroupMe. However, it doesn’t say much about the app’s security features, including how it stores and protects data. PHI, classified by the U.S. Department of Health and Human Services (HHS) as highly sensitive information, requires stringent storage protection measures.
HIPAA outlines several necessary safeguards for handling stored data. Covered entities and their business associates should regularly monitor storage systems and conduct periodic risk assessments. The physical infrastructure that houses data should be monitored 24/7 and meet industry standards. Moreover, there should be a data backup and redundancy system to ensure that data remains accessible in case of system failures, natural disasters, and other unexpected events.
Can I Still Use GroupMe in Healthcare?
Given its lack of data privacy and security features, GroupMe isn’t recommended for use in healthcare settings. It’s best to use it only for casual conversations. Healthcare professionals and providers risk exposing PHI to unauthorized persons if they use GroupMe. If a data breach happens, they also risk facing HIPAA violations that may lead to civil and criminal penalties.
If you insist on using GroupMe, you should understand the risks involved. Also, never use the app to send medical records, personally identifiable information, phone numbers, treatment plans, and other sensitive data. Obviously, this makes using GroupMe in healthcare quite inconvenient. It’s better to use HIPAA-compliant alternatives for healthcare-focused messaging.
HIPAA-Compliant Alternatives to GroupMe
Since GroupMe and HIPAA compliance don’t go hand-in-hand, your next best option would be to look for HIPAA-compliant messaging solutions. Fortunately, you don’t need to look far to find alternatives that would suit your needs.
There’s OhMD, TigerConnect, and Trillian, to name a few. There’s also iFax, our very own cloud fax service with video calling and secure messaging capability. These HIPAA-compliant messaging apps provide all the essential features you need to communicate securely. More importantly, these apps can readily offer a signed business associate agreement. You can also send chats consisting of texts, images, and documents.
GroupMe may not enable HIPAA compliance, but other secure messaging platforms do. Also, there are EHR and EMR systems with built-in messaging features. Or, you can communicate with patients and colleagues through HIPAA-compliant email.
