The University of Michigan Health System (UMHS) maintains an “on-premise” Microsoft Exchange/Outlook email and calendar service. This HIPAA-compliant service is primarily for UMHS users.
UMHS Exchange is a U-M service maintained on the Ann Arbor campus. It may be used to maintain or share most types of university sensitive data, as well as many types of sensitive regulated data, including Protected Health Information (PHI) regulated by HIPAA.
Use of this service with PHI (regulated by HIPAA) is mainly for the purpose of sharing that data with another UMHS user. If it is necessary for business purposes for PHI or other sensitive data is to be sent outside the service, it must be encrypted. See About Encrypted Email Messages from UMHS (med.umich.edu). Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in UMHS Exchange are responsible for complying with HIPAA safeguards, including:
- Using and disclosing only the minimum necessary PHI for the intended purpose.
- Obtaining all required authorizations for using and disclosing PHI.
- Ensuring that PHI is seen only by those who are authorized to see it.
- Following any additional steps required by your unit to comply with HIPAA.
Social Security numbers should generally not be sent through email. Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. IIA can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IIA via the ITS Service Center.)
UMHS Exchange may not be used for Export Controlled Research (protected by ITAR or EAR). This is because UMHS has not gone through the necessary compliance steps.
UMHS Exchange may not be used for data regulated by the Federal Information Security Management Act (FISMA). This is because UMS Exchange does not have documentation or certification that demonstrates FISMA compliance. Note that this means you cannot use UMHS Exchange with PHI regulated by FISMA, that is, PHI received or owned by the federal government, such as the Centers for Medicare & Medicaid Services (CMS) and Veterans Affairs (VA) data.