Is Yammer HIPAA Compliant?

Is Yammer HIPAA compliant? Does the platform incorporate all the necessary administrative and technical controls to meet HIPAA requirements? This post explores whether Yammer supports HIPAA compliance and assesses whether the platform can be used by healthcare organizations without violating HIPAA Rules.

What is Yammer?

Yammer has been a standalone social networking and collaboration platform since 2008. Its popularity and potential were noticed by Microsoft, which purchased the company in 2012. Today the platform is used by 85% of Fortune 500 companies.

The freemium platform allows company employees to communicate with each other, collaborate on projects, share knowledge, and ask and get quick answers from co-workers.  Due to similarities in its architecture and functionality, it is often referred to as ‘Twitter for companies’.

In contrast to other social media platforms, communications are private and are not published online. The platform can be kept as a strictly internal communication and collaboration tool, although it is also possible to use the platform to communicate with business associates and customers. Via the platform, users can chat and share documents, photos and other files.

Can Healthcare Organizations Sign a Business Associate Agreement for Yammer?

Since January 1, 2016, Yammer has been covered by the Office 365 Trust Center and is covered by Microsoft’s Office 365 enterprise business associate agreement.

Since purchasing the platform, Microsoft enhanced auditing and reporting capabilities. Detailed activity logs are generated giving admins full visibility into how the platform is being used. Through those logs, administrators can audit users, groups, files, admins, network settings, and see all activities on the platform. The logs meet the HIPAA security standard for audit controls.

The HIPAA security standard for access controls is also satisfied. Users get their own accounts and are logged in through their existing organization credentials. Access is only possible with a valid company email address.

All data in transit into and out of the production environment is encrypted, as is data at rest. Microsoft uses AES 256-bit key encryption to ensure data security.

The platform was designed as multitenant, so an organization’s data is logically separated from other companies using the platform and is kept private.

Is Yammer HIPAA Compliant?

So, is Yammer HIPAA compliant? The answer is yes and no.

Microsoft has incorporated all the necessary controls to ensure Yammer can be HIPAA compliant, but HIPAA compliance depends on the organization and its users. Provided risks are identified and managed and healthcare organizations enter into a business associate agreement with Microsoft that covers Yammer – prior to the service being used in connection with any ePHI – Yammer can be considered to be a HIPAA compliant collaboration tool.

The platform must also be configured correctly, policies need to be developed covering the use of the platform, and staff will need to be trained on Yammer and HIPAA restrictions.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.