Michigan Medicine maintains an “on-premise” Microsoft Exchange/Outlook email and calendar service. This HIPAA-compliant service is primarily for Michigan Medicine users.
Michigan Medicine Exchange is a U-M service maintained on the Ann Arbor campus. It may be used to maintain or share most types of university sensitive data, as well as many types of sensitive regulated data, including Protected Health Information (PHI) regulated by HIPAA.
Use of this service with PHI (regulated by HIPAA) is mainly for the purpose of sharing that data with another Michigan Medicine user. If it is necessary for business purposes for PHI or other sensitive data is to be sent outside the service, it must be encrypted. See About Encrypted Email Messages from med.umich.edu (Michigan Medicine login required). Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in Michigan Medicine Exchange are responsible for complying with HIPAA safeguards, including:
- Using and disclosing only the minimum necessary PHI for the intended purpose.
- Obtaining all required authorizations for using and disclosing PHI.
- Ensuring that PHI is seen only by those who are authorized to see it.
- Following any additional steps required by your unit to comply with HIPAA.
Social Security numbers should generally not be sent through email. Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)
Michigan Medicine Exchange may not be used for Export Controlled Research (protected by ITAR or EAR). This is because Michigan Medicine has not gone through the necessary compliance steps.
Michigan Medicine Exchange may not be used for data regulated by the Federal Information Security Management Act (FISMA). This is because Michigan Medicine Exchange does not have documentation or certification that demonstrates FISMA compliance. Note that this means you cannot use Michigan Medicine Exchange with PHI regulated by FISMA, that is, PHI received or owned by the federal government, such as the Centers for Medicare & Medicaid Services (CMS) and Veterans Affairs (VA) data.