Microsoft 365 (M365) at Michigan Medicine

Service Description 

Michigan Medicine’s Microsoft 365 (M365) is a cloud-based collaboration and file-storage service that provides a selection of productivity and collaboration tools to Michigan Medicine faculty, staff, students, sponsored affiliates with regular (not temporary) uniqnames. You can use M365 to create, edit, share, and collaborate on cloud-based content. Michigan Medicine’s M365 contains multiple tools including SharePoint Online, Office 365, Exchange/Outlook Email and Calendar, Teams, Forms, Power Automate, Planner, and others.

Compliance 

Michigan Medicine’s M365 provides a secure environment to maintain or share data, including some types of sensitive regulated data classified as High. Data classified as Restricted may not be maintained or shared in Microsoft 365.
 
Microsoft Exchange/Outlook Email and Calendar service is secure when sending PHI (regulated by HIPAA) to another Michigan Medicine user’s MM Outlook email. If it is necessary for business purposes for PHI or other sensitive data to be sent outside the service, it must be encrypted. See About Encrypted Email Messages from med.umich.edu (Michigan Medicine login required).

  • Social Security numbers should generally not be sent through email. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. Contact IA via the ITS Service Center.
  • Note that you cannot use Michigan Medicine Exchange with PHI regulated by FISMA, that is, PHI received or owned by the federal government, such as the Centers for Medicare & Medicaid Services (CMS) and Veterans Affairs (VA) data.

Microsoft OneDrive allows you to synchronize data in the cloud and on your devices. If you store and synchronize data in locations other than the OneDrive cloud storage, you will also need to follow any sensitive data restrictions for the devices and storage locations to which you synchronize.
 
Michigan Medicine’s agreement with Microsoft includes a Business Associate Agreement (BAA). This means this service is being designed for use of Protected Health Information (PHI) regulated by HIPAA. Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in Michigan Medicine’s M365 are responsible for complying with HIPAA safeguards, including:

  • Use and disclose only the minimum necessary PHI for the intended purpose.
  • Obtain all required authorizations for using and disclosing PHI.
  • Ensure that PHI is seen only by those who are authorized to see it.
  • Follow any additional steps required by your unit to comply with HIPAA.