Lately we've been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Yammer, which was bought by Microsoft in 2012, is a popular enterprise social networking service used for private communication within organizations. UPDATE: In April 2020, in connection with the COVID-19 pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the Notification of Enforcement Discretion, which allows healthcare providers to use widely available communication apps, such as [name of the app], for telehealth services without the risk of incurring HIPAA fines. For more information, check out this recent Paubox blog post. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Apple iMessage
- Box
- Citrix ShareFile
- DocuSign
- Dropbox
- FaceTime
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Slides
- Google Voice
- GoToMeeting
- Heroku
- Intercom
- Microsoft 365
- OneDrive
- Return Path
- SharePoint
- Slack
- Sonic
- WordPress
- Zoho
- Zoom
The purpose of this post is to determine if Yammer offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Yammer
Yammer is a freemium enterprise social networking service used for private communication within organizations. A user's domain name determines access to a Yammer network so that only individuals with approved email addresses may join their respective networks. The service began as an internal communication system for the genealogy website Geni.com and was launched as an independent product in 2008. Microsoft later acquired Yammer in 2012 for a whopping $1.2 billion.
Yammer and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. HIPAA compliance requires this by law. Since Yammer is now part of Microsoft 365, we checked Microsoft's site and found a blog post titled "Yammer bolsters security and compliance with new auditing and reporting capabilities". Written on 13 October 2016, Microsoft's blog post points out: "As part of the Microsoft 365 Trust Center, Yammer complies with international and regional standards such as the Microsoft 365 Data Processing Agreement with European Union Model Clauses (DPA with EUMC), Health Insurance Portability and Accountability Microsoft 365 Business Associate Agreement (HIPAA BAA), ISO 27001, ISO 27018, Section 508 for web accessibility, and SSAE 16 SOC 2 report."
Does Yammer Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Since Microsoft offers one for use with Yammer, we conclude it can be a HIPAA compliant service.
Conclusion: Yammer is covered within Microsoft's Business Associate Agreement. Make sure you sign a BAA with Microsoft before using Yammer in a HIPAA environment.