NIU uses Microsoft Office 365 as its official form of email communication. It was selected, in part, because it is suitable and approved for transmitting and storing confidential information. Office 365 is the only email system on campus that is so approved.
Office 365 Secure Email uses email specific message protections that include encryption and restricted permissions on copying, printing and/or forwarding the data from the email. These protections are something you must select when sending restricted information via email to external recipients or when we want to add additional protection to internal NIU email. To learn how to use email encryption see the “How to” and “Secure Email FAQ” links in the side bar.
Office 365 can be trusted to reliably store and transmit NIU’s confidential data for three primary reasons:
Office 365 uses multiple levels of encryption that all work together to keep our data protected.
Members of the campus community often ask whether Office 365 email is safe to use when transmitting healthcare information or other types of confidential information to people outside of NIU. The HIPAA Privacy Rule expressly allows healthcare providers to communicate electronically with their patients provided that they apply reasonable safeguards when doing so. DoIT has approved Office 365 email for this type of use under the following simple guidelines:
If the recipient is simply an individual person, such as a student receiving their own healthcare records at their private Gmail address, the recipient should give consent for the transmission of their data to a private account.
If the recipient is an outside agency, such as SURS or a local healthcare provider, the university must do a vendor evaluation to assess the readiness and capability of that agency to handle NIU’s data. This is the same degree of care we provide when selecting vendors for outsourced IT systems. Details of this process can be discussed with DoIT's information security team by emailing infosecurity@niu.edu.
Using email encryption alone is not enough to make the transfer of confidential information safe. Sending encrypted data to a person who is not authorized to see that data becomes a data breach under the law when that information is decrypted and viewed. Sending encrypted data to an agency who does not affirmatively accept or cannot adequately protect NIU’s data is not an approved practice.
Email is preferred over fax as a more secure option for the transmission of confidential information. It is more traceable, easier to protect, and is less likely to be seen than faxes or paper that sit on desks and in outboxes.