Is Yammer HIPAA Compliant?
by Aware
Microsoft Yammer is a valuable internal communication business tool for enhancing collaboration and streamlining teamwork, but highly regulated industries such as healthcare must consider regulatory compliance functionality before rolling out any new tool. This post explores the suitability of Yammer for healthcare, if Yammer is HIPAA compliant, and how to protect PHI in Yammer.
Contents
- What is Yammer?
- Microsoft Yammer vs Microsoft Teams
- What is HIPAA?
- How does HIPAA impact digital collaboration tools?
- Best practices for HIPAA compliance
- Is Yammer HIPAA compliant?
- Does Microsoft sign a Business Associate Agreement (BAA) for HIPAA?
- 5 HIPAA risks of using Yammer
- 5 ways to remain HIPAA compliant using Yammer
- What data security measures does Yammer use
- How administrators can enforce HIPAA compliance in Yammer
- How Aware supports HIPAA compliance in Yammer
What is Yammer?
Yammer is a business-grade social network platform owned and distributed by Microsoft as part of Microsoft 365 suite. Companies rely on Yammer to improve inter-departmental relations, foster a stronger company culture, and accelerate the speed of work across the enterprise. As of February 2023, Yammer is being rebranded as Microsoft Viva Engage.
Microsoft Yammer vs Microsoft Teams
Yammer and Microsoft Teams are both cloud-based collaboration platforms offered by Microsoft. Yammer is an enterprise social networking platform, while Teams is a more focused tool designed for group work. Both Yammer and Teams fill specfic needs within an organization's digital workplace and are often used together within a business so solve different needs.
Learn more about HIPAA compliance in Microsoft Teams.
What is HIPAA?
HIPAA is a federal regulation that outlines how covered entities such as healthcare systems, insurers, and individual providers store and transmit protected health information (PHI) or electronic PHI (ePHI). Under HIPAA, covered entities and their business partners must safeguard PHI or face fines up to $50,000 per violation.
How does HIPAA impact digital collaboration tools?
Healthcare companies must consider HIPAA compliance when using collaboration tools as part of their digital workplace. Employees will assume any work-sanctioned platform is safe for all work-related communications unless trained otherwise, so admins must assume that PHI exists within Yammer. That presents potential risk exposure for businesses if they don’t adequately control or safeguard that data.
Best practices for HIPAA compliance
Is Yammer HIPAA compliant?
Yammer can be considered HIPAA compliant because Microsoft covers the app in its Microsoft Office 365 Trust Center, providing users with the cybersecurity and compliance controls they need to meet HIPAA requirements. However, administrators still have the responsibility to ensure they configure and implement those controls correctly and educate employees on how to remain HIPAA compliant while using Yammer.
Does Microsoft sign a Business Associate Agreement (BAA) for HIPAA?
Microsoft does offer a Business Associate Agreement (BAA) for HIPAA compliance. The BAA is a contract that establishes the legal responsibilities between a covered entity (healthcare provider) and a business associate (Microsoft) when PHI is involved. It ensures that Microsoft agrees to handle PHI appropriately and complies with HIPAA regulations.
Read more: Enterprise collaboration and HIPAA compliance.
5 HIPAA risks of using Yammer
- Unauthorized Access: The greatest risk to PHI in Yammer is that data being accessed by people who are not authorized to do so. This includes both employees without the right level of clearance, as well as external actors.
- Data Breaches: Data Breaches: Inadequate safeguards or data encryption can increase the risk of data breaches, leading to the exposure of sensitive patient information. It's important that employees understand the importance of protecting PHI and administrators should regularly audit for unusual behavior.
- Improper Data Handling: Users may inadvertently mishandle or share PHI in ways that violate HIPAA regulations, such as sharing information outside the authorized network. This can be either through malice or simple negligence, which is why employee training on proper infosec procedures is essential.
- BYOD: Users can access Yammer on any device, including those outside the organization’s control. It’s up to individual businesses to assess the risk of bring your own device (BYOD) and create policies that outline how employees access Yammer.
- Third-Party Integrations: Third-Party Integrations: When integrating other applications with Yammer, admins must ensure they also meet HIPAA requirements to avoid any vulnerabilities. Admins should ensure all apps and integrations are kept up to date with the latest security patches and routinely audit their tech stack for HIPAA compliance.
5 ways to remain HIPAA compliant using Yammer
- Enable Security Features: Utilize Microsoft’s security features such as 2-factor authentication (2FA) or multi-factor authentication (MFA), single sign-on (SSO), and encryption to protect PHI from unauthorized access.
- Train Users: Provide comprehensive training to employees on HIPAA compliance, including proper handling of PHI and the use of Yammer's privacy settings.
- Monitor and Audit: Regularly monitor user activity and conduct audits to ensure compliance, identify any risks, and address any policy violations promptly.
- Implement Access Controls: Set up appropriate role-based access controls (RBAC) and user permissions within Yammer to ensure that only authorized individuals can access PHI.
- Regularly Update Policies: Keep policies and procedures up to date, reflecting changes in regulations and best practices, and communicate these changes effectively to all Yammer users.
What data security measures does Yammer use?
Yammer, as a Microsoft product, benefits from a range of data security measures that protect user data and ensure compliance with various regulations, including HIPAA. Some of the most important for HIPAA compliance include:
- Encryption in transit and at rest, using AES-256 bit key encryption and HTTPS that supports TLS 1.2.
- Microsoft Azure Active Directory (Azure AD) integration that enables multi-factor authentication (MFA) and single sign-on (SSO).
- Industry-standard compliance certification, including as ISO 27001 and SOC 2 Type II.
- Data loss prevention (DLP) and eDiscovery controls through E3 or E5 enterprise suites.
- APIs that enable third-party security integrations with features such as access logs and compliance monitoring.
How administrators can enforce HIPAA compliance in Yammer
Although these features provide many controls that can support HIPAA compliance, it’s important that admins are proactive about configuring the right settings and regularly reviewing user activity within Yammer. Administrators should also collaborate with IT and compliance teams to stay informed about any updates or changes to HIPAA regulations.
How Aware supports HIPAA compliance in Yammer
Aware AI employee listening platform connects seamlessly to provide comprehensive, real-time compliance management that supports HIPAA compliance within Yammer. Smart automations use regular expressions (regex) and keyword detection to flag unauthorized information sharing 24/7 for faster mitigation and reduced risk exposure.
In addition, Aware provides covered entities with comprehensive DLP and eDiscovery controls that enhance internal investigations and early case analysis, while granular retention and governance controls limit the volume of HIPAA-covered data within Yammer workplace environments. Detailed activity logs and RBAC ensure that every action taken within Aware is documented for defensible records keeping.
Using Aware, healthcare providers and their business partners can proactively enforce acceptable use policies, detect noncompliance as it happens, and coach employees in real time to improve business outcomes.
Final thoughts
While Yammer can be configured to meet HIPAA requirements, healthcare organizations must take proactive steps to ensure HIPAA compliance. By understanding the risks associated with using Yammer, implementing appropriate security measures, and deploying AI-powered compliance management solutions from Aware, healthcare providers can safely leverage Yammer's collaboration capabilities while protecting patient privacy and complying with HIPAA regulations.
Learn more about how Aware enforces compliance within Yammer and protects your entire digital workplace.