Article Description

This article describes the following:

• Your responsibilities for Virginia Tech’s Microsoft 365 (M365) and Google Workspace for Education (Google Workspace) environments when using them for Electronic Protected Health Information (ePHI)
• Your responsibilities regarding the confidentiality, integrity, and availability of ePHI in these environments
• Your part of shared governance for ePHI, M365, Google Workspace, and the Health Insurance Portability and Accountability Act (HIPAA)

---

Virginia Tech’s M365 and Google Workspace environments are approved for use with ePHI; however, before you begin to use them to store this type of data, you must meet the following obligations outlined in the shared governance information below.

Your Obligations

Understand your obligation to keep ePHI confidential1 and to protect the privacy of the patients that it represents Have approval to create, receive, maintain, or transmit the ePHI from Scholarly Integrity and Research Compliance (SIRC, https://www.research.vt.edu/sirc.html) and the Office of Sponsored Programs (OSP, https://osp.vt.edu) Limit access to the data ONLY to those who are approved by SIRC or OSP Have completed a Privacy and Research Data Protections Consult (PRDP, https://internal.research.vt.edu/form/prdp-consultation-request-form) and the required training Report any unusual, suspect, or intentionally malicious activity regarding the environment immediately upon discovery to the Information Technology Security Office (ITSO, https://security.vt.edu) Be compliant with state and federal regulations regarding the use of ePHI (https://www.hhs.gov/hipaa/for-professionals/index.html, https://law.lis.virginia.gov/vacodepopularnames/personal-information-privacy-act/) Be compliant with all relevant university policies and procedures (https://policies.vt.edu)

Microsoft's Obligations

Microsoft's obligations are outlined in the Business Associate Agreement (BAA) with Virginia Tech (https://wwlpdocumentsearch.blob.core.windows.net/prodv2/HIPAABusinessAssociateAgr(WW)(ENG)(June2019)(CR).docx?sv=2020-08-04&se=2021-10-08T20:09:44Z&sr=b&sp=r&sig=HXa%2FgaRKPvI8CJZ9nOn9PS42nN7HXHNkT4vBiK0tZok%3D)

Google's Obligations

Google's obligations are outlined in the Business Associate Agreement (BAA) with Virginia Tech (https://gsuite.google.com/terms/2015/1/hipaa_baa.html)

Collaborative Computing Solutions' (CCS) Obligations

Licensing, secure authentication, and support of Virginia Tech's M365 and Google Workspace Services

¹ Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes (HIPAA, Section 164.304)

Additional information regarding the use of ePHI at Virginia Tech can be found at:

• SIRC
• Privacy and Research Data Protections Consult form
• OSP
• HIPAA for Professionals
• BAA
• Personal Information Privacy Act
• VT Policies
• ITSO
• Microsoft Trust Center
• Human Research Protection Program
• HIPAA Compliance with Google Workspace and Cloud Identity
• HIPAA Compliance and Google Cloud

Note:

Please be aware that although Virginia Tech’s M365 and Google Workspace environments are compliant, that does not mean that 3^rd party integrations, such as YouTube  and YouTube within Teams, are compliant. If you have any questions about a 3^rd party integration, please contact SIRC for more information.

It is the intent of Virginia Tech to maintain an environment in a way that promotes ethical, compliant, legal, and responsible conduct in all activities by users regarding ePHI. Any items within this article do not supersede, negate, or undermine any policies, rules, or obligations set forth by state/federal regulations or Virginia Tech.