SOLUTIONS

For IT & Collaboration Owners
Deliver safe, secure collaboration while satisfying the needs of stakeholders across the business

For Security
Improve your risk posture with a purpose-built solution for collaboration

For Legal
Scale, orchestrate and streamline your eDiscovery process for employee collaboration
For Compliance
Establish a proactive approach to collaboration compliance and information governance


For Employee Experience
Harness insights from surveys and collaboration data to transform the employee experience

AWR-2023_human-behavior-risk-analysis-report_cover art_small
Download the Resource

The Human Behavior Risk Analysis

Learn More →

Integrations

Connect Aware to the tools you already use to have all your company messaging in one place.

LEARN MORE →
Our Platform

Contextual Intelligence Platform

Aware is a contextual intelligence platform that identifies and reduces risk, strengthens security and compliance, and uncovers real-time business insights from digital conversations at scale.

LEARN MORE → Learn About our AI →
Our Applications
Flashlight

Signal

Protect your data and your people with complete, real-time visibility and centralized control of collaboration.

Learn More →
Chat_Search

Data Management

Take centralized control and make smarter decisions about what to keep and what to purge.

Learn More →
file_lock

Search & Discover

AI-powered universal search purpose-built for collaboration. Find information and surfaces the full story—faster.

Learn More →
Growth

Spotlight

Automatically capture authentic human signals from modern collaboration to support your most valuable asset.

Learn More →
AWR-2022-HBRA-LandingPage-Visual

What's in your data?

Calculate my results →

Company

About Aware

Our leadership, our company

Careers

Explore open roles with our remote-friendly, global team

Partners

Driving customer value, together

Press Releases

Digital workplace news and insights

Customers

How Aware customers streamline operations, reduce risk, and boost productivity

Security

Data security partners & certifications

Contact

Get in touch with us

Aware-BPW-Company-Nav

10 Reasons Why Aware is a Top Place to Work

Learn more →

Resources

Access reports, webinars, checklists and more.

Explore →

Blog

Explore articles devoted to enterprise collaboration, employee engagement, research & more

Explore →
Case Study Promo_2023

How Aware customers streamline operations, reduce risk, and boost productivity

Read More →
Menu

Is Yammer HIPAA Compliant?

by Aware

Microsoft Yammer is a valuable internal communication business tool for enhancing collaboration and streamlining teamwork, but highly regulated industries such as healthcare must consider regulatory compliance functionality before rolling out any new tool. This post explores the suitability of Yammer for healthcare, if Yammer is HIPAA compliant, and how to protect PHI in Yammer.

Yammer-Aware-Integration

Learn how Aware supports HIPAA compliance for Yammer with real-time automated workflows.

Contents

yammer healthcare hipaa compliance

What is Yammer?

Yammer is a business-grade social network platform owned and distributed by Microsoft as part of Microsoft 365 suite. Companies rely on Yammer to improve inter-departmental relations, foster a stronger company culture, and accelerate the speed of work across the enterprise. As of February 2023, Yammer is being rebranded as Microsoft Viva Engage.

Microsoft Yammer vs Microsoft Teams

Yammer and Microsoft Teams are both cloud-based collaboration platforms offered by Microsoft. Yammer is an enterprise social networking platform, while Teams is a more focused tool designed for group work. Both Yammer and Teams fill specfic needs within an organization's digital workplace and are often used together within a business so solve different needs.

blog teams 1

Learn more about HIPAA compliance in Microsoft Teams.

What is HIPAA?

HIPAA is a federal regulation that outlines how covered entities such as healthcare systems, insurers, and individual providers store and transmit protected health information (PHI) or electronic PHI (ePHI). Under HIPAA, covered entities and their business partners must safeguard PHI or face fines up to $50,000 per violation.

How does HIPAA impact digital collaboration tools?

Healthcare companies must consider HIPAA compliance when using collaboration tools as part of their digital workplace. Employees will assume any work-sanctioned platform is safe for all work-related communications unless trained otherwise, so admins must assume that PHI exists within Yammer. That presents potential risk exposure for businesses if they don’t adequately control or safeguard that data.

Best practices for HIPAA compliance

HIPAA compliance best practices infographic
HIPAA compliance best practices infographic
HIPAA compliance best practices infographic
HIPAA compliance best practices infographic
HIPAA compliance best practices infographic
HIPAA compliance best practices infographic
HIPAA compliance best practices infographic

 

Is Yammer HIPAA compliant?

Yammer can be considered HIPAA compliant because Microsoft covers the app in its Microsoft Office 365 Trust Center, providing users with the cybersecurity and compliance controls they need to meet HIPAA requirements. However, administrators still have the responsibility to ensure they configure and implement those controls correctly and educate employees on how to remain HIPAA compliant while using Yammer.

Does Microsoft sign a Business Associate Agreement (BAA) for HIPAA?

Microsoft does offer a Business Associate Agreement (BAA) for HIPAA compliance. The BAA is a contract that establishes the legal responsibilities between a covered entity (healthcare provider) and a business associate (Microsoft) when PHI is involved. It ensures that Microsoft agrees to handle PHI appropriately and complies with HIPAA regulations.

blog illustration 21

Read more: Enterprise collaboration and HIPAA compliance.

5 HIPAA risks of using Yammer

  1. Unauthorized Access: The greatest risk to PHI in Yammer is that data being accessed by people who are not authorized to do so. This includes both employees without the right level of clearance, as well as external actors.
  1. Data Breaches: Data Breaches: Inadequate safeguards or data encryption can increase the risk of data breaches, leading to the exposure of sensitive patient information. It's important that employees understand the importance of protecting PHI and administrators should regularly audit for unusual behavior.
  1. Improper Data Handling: Users may inadvertently mishandle or share PHI in ways that violate HIPAA regulations, such as sharing information outside the authorized network. This can be either through malice or simple negligence, which is why employee training on proper infosec procedures is essential.
  2. BYOD: Users can access Yammer on any device, including those outside the organization’s control. It’s up to individual businesses to assess the risk of bring your own device (BYOD) and create policies that outline how employees access Yammer.
  1. Third-Party Integrations: Third-Party Integrations: When integrating other applications with Yammer, admins must ensure they also meet HIPAA requirements to avoid any vulnerabilities. Admins should ensure all apps and integrations are kept up to date with the latest security patches and routinely audit their tech stack for HIPAA compliance.

5 ways to remain HIPAA compliant using Yammer

  1. Enable Security Features: Utilize Microsoft’s security features such as 2-factor authentication (2FA) or multi-factor authentication (MFA), single sign-on (SSO), and encryption to protect PHI from unauthorized access.
  2. Train Users: Provide comprehensive training to employees on HIPAA compliance, including proper handling of PHI and the use of Yammer's privacy settings.
  3. Monitor and Audit: Regularly monitor user activity and conduct audits to ensure compliance, identify any risks, and address any policy violations promptly.
  4. Implement Access Controls: Set up appropriate role-based access controls (RBAC) and user permissions within Yammer to ensure that only authorized individuals can access PHI.
  5. Regularly Update Policies: Keep policies and procedures up to date, reflecting changes in regulations and best practices, and communicate these changes effectively to all Yammer users.
medical provider hipaa compliance

What data security measures does Yammer use?

Yammer, as a Microsoft product, benefits from a range of data security measures that protect user data and ensure compliance with various regulations, including HIPAA. Some of the most important for HIPAA compliance include:

  • Encryption in transit and at rest, using AES-256 bit key encryption and HTTPS that supports TLS 1.2.
  • Microsoft Azure Active Directory (Azure AD) integration that enables multi-factor authentication (MFA) and single sign-on (SSO).
  • Industry-standard compliance certification, including as ISO 27001 and SOC 2 Type II.
  • Data loss prevention (DLP) and eDiscovery controls through E3 or E5 enterprise suites.
  • APIs that enable third-party security integrations with features such as access logs and compliance monitoring.

How administrators can enforce HIPAA compliance in Yammer

Although these features provide many controls that can support HIPAA compliance, it’s important that admins are proactive about configuring the right settings and regularly reviewing user activity within Yammer. Administrators should also collaborate with IT and compliance teams to stay informed about any updates or changes to HIPAA regulations.

aware hipaa compliance yammer integration

How Aware supports HIPAA compliance in Yammer

Aware AI employee listening platform connects seamlessly to provide comprehensive, real-time compliance management that supports HIPAA compliance within Yammer. Smart automations use regular expressions (regex) and keyword detection to flag unauthorized information sharing 24/7 for faster mitigation and reduced risk exposure.

In addition, Aware provides covered entities with comprehensive DLP and eDiscovery controls that enhance internal investigations and early case analysis, while granular retention and governance controls limit the volume of HIPAA-covered data within Yammer workplace environments. Detailed activity logs and RBAC ensure that every action taken within Aware is documented for defensible records keeping.

Using Aware, healthcare providers and their business partners can proactively enforce acceptable use policies, detect noncompliance as it happens, and coach employees in real time to improve business outcomes.

Final thoughts

While Yammer can be configured to meet HIPAA requirements, healthcare organizations must take proactive steps to ensure HIPAA compliance. By understanding the risks associated with using Yammer, implementing appropriate security measures, and deploying AI-powered compliance management solutions from Aware, healthcare providers can safely leverage Yammer's collaboration capabilities while protecting patient privacy and complying with HIPAA regulations.

Learn more about how Aware enforces compliance within Yammer and protects your entire digital workplace.

Get Aware for Yammer

Topics:Compliance AdherenceYammer/Viva Engage Messaging