Use Microsoft Teams to host meetings that contain protected health information (PHI)

• Overview
• Request a Microsoft Team for use with PHI
• Schedule a meeting in a secure Team

Overview

Indiana University and Microsoft have a signed Business Associates Agreement (BAA) to facilitate private, secure online collaborations for research, teaching, or administration involving the transmission of protected health information (PHI).

Following are some examples of virtual collaborations that involve PHI and should be conducted using a Microsoft at IU Secure Storage account:

1. Distributed research team working sessions with patient data
2. Clinical researchers interviewing participants or participant teams as part of research projects
3. Distributed administrative or technical teams working directly with patient data
4. Clinical faculty and healthcare providers conducting telehealth services for students and patients in an IU clinical care area

Request a Microsoft Team for use with PHI

Before deciding to host a meeting via a secure Team, be aware of the following:

• Individuals must schedule each meeting in the secure Team if the meeting will contain PHI data. As long as the meeting was created via the secure Team, the meeting has appropriate safeguards in place for PHI-related data.
• Participants can be members of multiple secure Teams and create multiple meetings inside of each secure Team they are a member of.
• Personal vs. department secure Team: Once your secure Team is created, any member of the Team can use the Team to host meetings that may contain PHI. When creating your Team, it is important to keep this in mind. Naming your Team for personal use vs. naming it for use by an entire department likely facilitates a different naming convention for each.
• Meeting recordings containing PHI must be stored within your secure Microsoft Teams channels.
  Important:

  At Indiana University, never store files containing sensitive institutional data, especially protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), on your desktop workstation, laptop, USB flash drive, tablet, smartphone, or other mobile device unless the files are properly encrypted on the device, and your senior executive officer or the IU Institutional Review Board (IRB) has given prior written approval. Because PHI must remain encrypted at rest, make sure you are using full-disk encryption on any device that has research data containing PHI on it. If you are not sure, ask your department or school IT Pro for help.
• Breakout rooms are available in a secure Team; you can enable them in your Microsoft Teams settings and use them normally.

Schedule a meeting in a secure Team

When scheduling a meeting in your secure Team, be sure to include a channel from your secure Team in the meeting invite. Follow the instructions to "Make it a channel meeting", or create the meeting directly inside the secure Team channel by selecting Schedule a meeting via the Meet button inside the channel.

Additionally, if participants need to start a meeting immediately, they can select the dropdown option to Meet Now inside the secure Team channel Meet button.

For full instructions, see Microsoft Teams at IU.