The University of Tennessee, on behalf of its Knoxville campus, provides faculty, staff, and students with a suite of Microsoft 365 for Education online services to support the educational, research, and public service missions of the University. These services include OneDrive for Business through a contract with Microsoft that includes a Business Associate Amendment (BAA). For purposes of this usage policy, OneDrive refers to OneDrive for Business as licensed to the University of Tennessee.
The Microsoft 365 service listed above is an approved service by the University of Tennessee and can be used to host institution data, including FERPA-protected information as well as Protected Health Information (PHI) or other materials and information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
As Business Associates defined by HIPAA, Microsoft & UT are required to comply with additional obligations under the Privacy Rule, Breach Notification Rule, and Security Rule that relate to Use, access, and Disclosure of PHI. Microsoft will use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of Protected Health Information. Additionally, Microsoft will use reasonable and appropriate safeguards to protect Personally Identifiable Information (PII).
UT users must implement privacy and security safeguards for data stored in Microsoft online services such as OneDrive. HIPAA, PHI and PII can be stored in OneDrive if they’re encrypted in transit and at rest. OIT recommends encryption of any sensitive data. Please contact your security liaison or college/department IT representative for more information.
In addition to adhering to UT’s Acceptable Use of Information Technology Resources policy (https://oit.utk.edu/aup), users are responsible for frequently reviewing the Microsoft 365 Privacy Notice and Acceptable Use Policy that can be accessed from the Help menu to ensure ability and willingness to comply with all applicable terms. The University of Tennessee is not responsible for user compliance with these terms.
Note that Microsoft 365 is not a Covered Program per UT Safety Policy SA0575 – Programs for Minors (http://policy.tennessee.edu/safety_policy/sa0575/).