Adler University and Microsoft have a signed Business Associates Agreement (BAA) to facilitate private, secure online collaborations for research, teaching, or administration involving the transmission of protected health information (PHI).
Microsoft 365 and the Teams service meets certain requirements established in the HIPAA Security Rule, the PIPEDA Fair Information Principles as well as other state and provincial regulations that necessitates strict standards to secure protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contains PHI. You may use this system or service for work involving data that contain PHI only when providing direct service to patients through ACHS and other limited circumstances. You must also institute additional administrative, physical, and technical safeguards that complement those IT already has in place.
Below are some examples of virtual collaborations that involve PHI and may be conducted using Microsoft Teams:
- ACHS interns and externs providing direct patient care services
- Distributed research team working sessions with patient data
- Clinical researchers interviewing participants or participant teams as part of research projects
- Distributed administrative or technical teams working directly with patient data
Never store files containing sensitive institutional data, especially protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), on your desktop workstation, laptop, USB flash drive, tablet, smartphone, or other mobile device unless the files are properly encrypted on the device. If you are not sure, ask your department chair or IT for help.
What computer should I use? Can I use my personal computer or mobile device?
When working with PHI data we require that you use a properly managed and encrypted university-owned computer. This ensures security checks and computer updates that the IT department can verify for compliance needs. You should, under no circumstances, use your personal devices for interacting with PHI related data.
How do I make sure my home network connection is safe while working with PHI data?
Make sure your home WiFi is secured. Ensure that your wireless network has a password required to access it and that you are not using the default password for your wireless network but, instead, a unique complex password. Please contact your internet service provider or router manufacturer for guidance on changing your wireless password, if needed.
Do not access PHI data in public locations nor via any public networks (e.g. Starbucks). Unsecured public WiFi does not meet Adler University's expectations for privacy and security as it relates to interacting with PHI remotely.
How do I store PHI data securely for access later?
Use Microsoft Teams and Microsoft OneDrive for PHI data storage. As mentioned above, Microsoft Teams is fully HIPAA compliant and is a safe way to store, access, and transfer PHI data. Please note that we do recommend accessing PHI data from these sources while on university owned devices only.
Can I store PHI on removable media?
Use of removable media to store PHI data is prohibited. Please do not save any PHI data to a USB flash drive, an external hard drive, or any similar storage device. If you need assistance with transferring PHI please contact IT.
What if I want to store PHI on my personal Google or iCloud?
Do not store PHI data in personal Google Drive, iCloud, or any other similar non-Adler University associated Microsoft cloud storage solutions. All Adler University PHI must be stored on Adler University approved storage.
How do I set up a secure video conference to talk with a client or discuss PHI data with colleagues at the University?
We strongly recommend Microsoft Teams as your PHI and HIPAA compliant video conferencing solution. If you have an Office 365 / Exchange email account with Adler University, then you have the ability to schedule meetings in Microsoft Teams. This will allow you to schedule meetings ahead of time with your clients or colleagues.
- Schedule a secure meeting. We recommend only using the client's initials to identify them in the title of the meeting invite.
- Join a secure meeting. Be sure to review your meeting settings to tailor them to your needs.
Can I record my Teams meeting?
Teams meetings can be recorded via the settings once a meeting starts – there’s a “Start Recording” option you need to click. It’s important to note that recording a session should only be done with the consent of all parties involved. Please follow the appropriate guidelines for recording consent for your department. Recordings are automatically stored in the meeting host's OneDrive > Recordings folder and is fully compliant as long as the recording stays within Microsoft 365. Do not download or redistribute recordings outside of Microsoft 365. Meeting recordings are only visible to the meeting organizer and internal attendees. Meeting guests such as clients that are external to Adler are not able to access meeting recordings.
How can I send a secure email message to a client with my Adler University email account?
Yes, you are required to encrypt email containing PHI data that you are sending with your Adler University email account. Learn how to send encrypted emails in Outlook.