HIPAA Compliance and Yammer

Yammer has been operating as a social networking and collaboration platform since 2008. Its widespread use and scalability were noticed by Microsoft, which bought the company in 2012. Today the platform is used by 85% of Fortune 500 companies.

The freemium platform give company employees the power to communicate with each other, collaborate on projects, share knowledge, and ask and get short answers from co-workers.  Due to similarities in its architecture and functionality, it is often called ‘Twitter for companies’.

Unlike other social media services, communications are private and are not published online. The platform can be maintained as a strictly internal communication and collaboration tool, although it is also possible to use the platform to chat with business associates and customers. Using the platform, users can chat and share documents, photos and other data.

Can Healthcare Groups Complete a Business Associate Agreement with Yammer?

As of January 1, 2016, Yammer has been incorporated in the Office 365 Trust Center and is covered by Microsoft’s Office 365 enterprise business associate agreement.

Since buying the platform, Microsoft enhanced auditing and reporting functionality. Detailed activity logs are produced giving admins full visibility into how the platform is being implemented. Using those logs, administrators can audit users, groups, files, admins, network settings, and see all activity on the platform. The logs are in line with the HIPAA security standard for audit controls.

The HIPAA security standard for access controls is also adhered with. Users get their own accounts and are signed in through their existing organization credentials. Access is only possible with a valid business email address.

All data in transit into and out of the production environment has encryption added, as is stationary data. Microsoft deploys AES 256-bit key encryption to ensure data security.

The platform was created as multitenant, so an group’s data is logically separated from other firms using the platform and is kept private.

So can Yammer be Classed as HIPAA Compliant?

Microsoft has added all the necessary controls to ensure Yammer can be HIPAA compliant, but HIPAA compliance depends on the business and its staff. Provided dangers are identified and managed and healthcare groups complete a business associate agreement with Microsoft that includes Yammer – before the service being used in connection with any ePHI – Yammer can be thought of as a HIPAA compliant collaboration utility.

The platform must also be set up properly, policies need to be established covering the use of the platform, and staff will need to be given information on Yammer and HIPAA compliance obligations.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.