HIPAA Compliance and Yammer

Yammer is a freemium enterprise social networking platform used for private communication and collaboration within organizations since 2008. After a bedding in period Microsoft purchased the company in 2012. It has grown in popularity since then to the extent that it is used by the majority of Fortune 500 companies.

The service allows company staff to communicate with each other, collaborate on projects, share information and address inquiries from colleagues. It has often been referred to as ‘Twitter for companies’ due to its many similarities to that social media platform.

However, Yammer is unique as all communications are private and are not published publicly. The platform can be restricted for use on internal communications only and as a collaboration tool, although it can be used as a tool to communicate with business associates and clients. Via the Yammer platform, users can interact chat and share documents, photos and other data.

As of January 1, 2016, Yammer has been included in the Office 365 Trust Center and is incorporated in the Microsoft Office 365 enterprise business associate agreement.

Since buying Yammer, Microsoft strengthened auditing and reporting capabilities. Detailed activity logs are produced, allowing admins full visibility into how the platform is being operated. Using those logs, administrators can audit users, groups, files, admins, network infrastructure settings and view all activities on the platform. The logs adhere with the HIPAA security standard for audit controls.

The HIPAA security standard for access controls is also adhered to. Subscribers get their own accounts and are logged in through their existing group credentials. Access is only granted with a valid company email log in.

All data on the move into and out of the production network is encrypted, as is data stationary. Microsoft employs AES 256-bit key encryption to allow data security.

The platform was formulated as multitenant, so a group’s information is logically keep apart from other companies using the platform and is kept private.

Yammer can be deemed as HIPAA compliant due to the fact that Microsoft has incorporated all the necessary controls, but HIPAA compliance is dependent on the group and its end users. Provided dangers are identified and mitigated and healthcare organizations enter into a business associate agreement with Microsoft that includes Yammer – before the service is being operated in connection with any ePHI – Yammer can be thought of as a HIPAA compliant collaboration utility.

The platform must also be set up properly, policies need to be formulated covering the use of the platform, and staff will need to be shown the relevant information on Yammer and HIPAA regulations.