Use Microsoft Teams to host meetings that contain protected health information (PHI)
On this page:
Overview
This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.
Indiana University and Microsoft have a signed Business Associates Agreement (BAA) to facilitate private, secure online collaborations for research, teaching, or administration involving the transmission of protected health information (PHI).
Following are some examples of virtual collaborations that involve PHI and should be conducted using a Microsoft at IU Secure Storage account:
- Distributed research team working sessions with patient data
- Clinical researchers interviewing participants or participant teams as part of research projects
- Distributed administrative or technical teams working directly with patient data
- Clinical faculty and healthcare providers conducting telehealth services for students and patients in an IU clinical care area
Request a Microsoft Team for use with PHI
Before deciding to host a meeting via a secure Team, be aware of the following:
- Individuals must schedule each meeting in the secure Team if the meeting will contain PHI data. As long as the meeting was created via the secure Team, the meeting has appropriate safeguards in place for PHI-related data.
- Participants can be members of multiple secure Teams and create multiple meetings inside of each secure Team they are a member of.
- Personal vs. department secure Team: Once your secure Team is created, any member of the Team can use the Team to host meetings that may contain PHI. When creating your Team, it is important to keep this in mind. Naming your Team for personal use vs. naming it for use by an entire department likely facilitates a different naming convention for each.
- Meeting recordings containing PHI must be stored within your secure Microsoft Teams channels.
Important:
At Indiana University, never store files containing sensitive institutional data, especially protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), on your desktop workstation, laptop, USB flash drive, tablet, smartphone, or other mobile device unless the files are properly encrypted on the device, and your senior executive officer or the IU Institutional Review Board (IRB) has given prior written approval. Because PHI must remain encrypted at rest, make sure you are using full-disk encryption on any device that has research data containing PHI on it. If you are not sure, ask your department or school local UITS support person for help.
- Breakout rooms are available in a secure Team; you can enable them in your Microsoft Teams settings and use them normally.
Schedule a meeting in a secure Team
When scheduling a meeting in your secure Team, be sure to include a channel from your secure Team in the meeting invite. Follow the instructions to "Make it a channel meeting", or create the meeting directly inside the secure Team channel by selecting via the button inside the channel.
Additionally, if participants need to start a meeting immediately, they can select the dropdown option to inside the secure Team channel button.
For full instructions, see Microsoft Teams at IU.
This is document bgrq in the Knowledge Base.
Last modified on 2023-08-08 10:57:46.