Microsoft 365, Google Workspace, and Electronic Protected Health Information Shared Governance

Article Description

This article describes the following:

Virginia Tech’s M365 and Google Workspace environments are approved for use with ePHI; however, before you begin to use them to store this type of data, you must meet the following obligations outlined in the shared governance information below.

Your Obligations
Microsoft's Obligations
Google's Obligations
Collaborative Computing Solutions' (CCS) Obligations
  • Licensing, secure authentication, and support of Virginia Tech's M365 and Google Workspace Services

1 Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes (HIPAA, Section 164.304)

Additional information regarding the use of ePHI at Virginia Tech can be found at:


Please be aware that although Virginia Tech’s M365 and Google Workspace environments are compliant, that does not mean that 3rd party integrations, such as YouTube  and YouTube within Teams, are compliant. If you have any questions about a 3rd party integration, please contact SIRC for more information.

It is the intent of Virginia Tech to maintain an environment in a way that promotes ethical, compliant, legal, and responsible conduct in all activities by users regarding ePHI. Any items within this article do not supersede, negate, or undermine any policies, rules, or obligations set forth by state/federal regulations or Virginia Tech.