Is Yammer HIPAA Compliant?

Yammer

Yammer is another platform that healthcare organizations can potentially use for sharing ePHI. Does it possess the necessary administrative and technical controls so that using it with ePHI does not violate HIPAA rules? How is it HIPAA compliant?

Yammer is a social networking and collaboration platform that has been in existence since 2008. In 2012, Microsoft purchased the platform after noticing its popularity and potential. It has grown a good deal that 85% of Fortune 500 companies use it today. Company employees can use this freemium platform for communication, collaboration, sharing of information and Q&A. Yammer has similar functionality and architecture as Twitter, which is why it is dubbed as the ‘Twitter for companies.’

Communications in Yammer are private, which is a differentiating feature from other popular social networking sites. Companies may use this platform strictly for internal communication and collaboration. But, it can be used as a communication tool with customers and business associates as well. Yammer allows users to chat and share photos, documents and other files.

When Microsoft purchased Yammer, the platform was improved to meet HIPAA security standards. Auditing and reporting capabilities were enhanced by enabling the creation of detailed activity logs. Through these logs, the administrators can see how the platform is being used. They can also audit users, admins, groups, files and network settings.

Access controls also met HIPAA security standards. Every user gets his/her own account. Logging in strictly requires existing organization credentials including a valid company email address. When it comes to the accessed data and files, Microsoft uses AES 256-bit key encryption for both data in transit and at rest. As a multitenant platform, different companies can use the platform securely knowing that each organization’s data are kept logically separated and private from the others.

Yammer has been covered by Office 365 Trust Center since January 1, 2016. It is also covered by the Microsoft Office 365 enterprise business associate agreement. As long as healthcare organizations enter into a business associate agreement with Microsoft that covers Yammer prior to using the platform with ePHI, there’s no violation regarding this particular HIPAA requirement.

To summarize, Yammer is HIPAA compliant because Microsoft has integrated all the required controls and has it covered by its Office 365 enterprise BAA. Nevertheless, HIPAA compliance may be countered by the failure of the covered entity and its users to configure platform settings correctly, to identify and manage risks and develop policies that support HIPAA compliance. It’s a must for healthcare organizations to train their staff on the proper configuration of Yammer and awareness of HIPAA restrictions.