Michigan Medicine maintains an “on-premise” Microsoft Exchange/Outlook email and calendar service. This HIPAA-compliant service is primarily for Michigan Medicine users.
Michigan Medicine Exchange is a U-M service maintained on the Ann Arbor campus. It may be used to maintain or share most types of university sensitive data, as well as many types of sensitive regulated data, including Protected Health Information (PHI) regulated by HIPAA.
Use of this service with PHI (regulated by HIPAA) is mainly for the purpose of sharing that data with another Michigan Medicine user. If it is necessary for business purposes for PHI or other sensitive data is to be sent outside the service, it must be encrypted. See About Encrypted Email Messages from med.umich.edu (Michigan Medicine login required). Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in Michigan Medicine Exchange are responsible for complying with HIPAA safeguards, including:
- Using and disclosing only the minimum necessary PHI for the intended purpose.
- Obtaining all required authorizations for using and disclosing PHI.
- Ensuring that PHI is seen only by those who are authorized to see it.
- Following any additional steps required by your unit to comply with HIPAA.
Social Security numbers should generally not be sent through email. Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)
Note that you cannot use Michigan Medicine Exchange with PHI regulated by FISMA, that is, PHI received or owned by the federal government, such as the Centers for Medicare & Medicaid Services (CMS) and Veterans Affairs (VA) data.