Information Security and IT Compliance News

Microsoft 365 Copilot, Copilot Chat and Zoom AI are approved for use with highly confidential university data. These technologies, and the contracts the university has with them, are designed to protect the data we enter into the system, unlike other AI applications that retain the data to train their program which violates HIPAA and other IT security regulations. 

While Microsoft 365 Copilot, Copilot Chat and Zoom AI are approved for this use, it is equally important that users and meeting participants use additional safe privacy and security best practices when utilizing these applications. Any information that is shared with others during the technology session—as well as through transcripts, notes, or other documentation—must be protected.   

Zoom AI best practices: 

• Check for unauthorized "meeting participants" that appear as AI meeting transcript software such as Otter.ai, Claude.ai, or Fireflies.ai. These software applications are not authorized for use at the university, nor for transcribing or recording meetings.  
  • Remove the unauthorized software from the meeting or ask the attendee that enabled the software to remove it from the meeting. 
    
• At the beginning of the meeting, inform all meeting participants that the meeting is being transcribed/recorded.  
  • Ask participants if they have any objections to the transcription or recording of the meeting.   
  • Give participants the option to opt-in or opt-out of participating in a meeting where Zoom AI will be used.  
• At the beginning of the meeting, remind everyone that the information used, discussed or shared in the meeting must be protected and only shared to those who are authorized to the data.  
• Ensure that Zoom meeting participants are authorized to view/use HIPAA information and have completed HIPAA privacy training.  
  
• Ensure that ePHI, PII or other protected data included in transcriptions, recordings or documents have the same protection and safeguards as other highly confidential assets. 
  
  • Consider pausing transcription or recording if electronic protected health information (ePHI), personally identifiable information (PII) or other protected information is discussed.  
    
  • This will help protect the data from being inadvertently recorded and potentially shared with individuals who should not have access to it. 
• If ePHI or PII is shared in the meeting while it is recorded or transcribed, ensure that transcripts/recordings/documents are marked "highly confidential" and "do not share, copy, or distribute to others"  
  • Ensure that it is not shared with others who are not authorized to read this data. 
    
• Review the meeting transcription and recording to ensure that the content is accurate before disseminating.   
  • AI is flawed and it does make mistakes. 
• Ensure that transcripts and recordings that contain ePHI or PII are properly secured in accordance with HIPAA policies (e.g., where data are stored, etc.).  See sections 7 and 9 for the technology requirements.   
  

Microsoft Copilot Chat best practices:  

• Before you type anything into Copilot Chat, make sure that you are signed in to your university account.  
  
  • For Copilot Chat You will see the "protected shield” messaging at the top of the webpage next to the "New Chat" button. Once you see this, you can now use it with university data.  
• Close the browser after you are done using Copilot Chat. 
• If you forget to close the browser or click “New Chat” and walk away from your computer, make sure you lock your computer before stepping away.  
  • This will ensure no one gains access to the data stored on the computer or in the browser. 
    

Microsoft 365 Copilot best practices:  

• Ensure you are logged in with your university account.  
• Verify and fact check all the information Microsoft 365 Copilot provides you whether it be an email, an essay, a spreadsheet of data or a presentation. AI is flawed; therefore, you need to do your due diligence and verify. 
• Give credit where credit is due. Microsoft 365 Copilot pulls data from sources to spit out information. If you create something with Microsoft 365 Copilot, ensure you inform your audience. If you do not site Microsoft 365 Copilot, that could be considered plagiarism. 
• Microsoft 365 Copilot is a licensed application available for a yearly subscription. Visit our website to learn about purchasing options.  
  

To learn more about using both of these technologies securely, visit our webpages for Securely Using Microsoft Copilot AI and Securely Using Zoom AI. Keeping the university’s data and assets secure is everyone’s responsibility. Thank you for using these best practices to maintain adherence to important information security protocols.