Skip to content

UTHSC Guidance on Storing Sensitive/Protected Data in UT’s Microsoft 365 for Education

The University of Tennessee provides faculty, staff, and students with a suite of Microsoft 365 for Education online services to support the educational, research, clinical, and public service mission of the University. These services include OneDrive for Business and SharePoint Online through a contract with Microsoft that includes a Business Associate Amendment (BAA). For clarification, Microsoft 365 refers to Microsoft 365 for Education as licensed to the University of Tennessee, and includes OneDrive for Business and SharePoint Online.

The Microsoft 365 service listed above is an approved service by the University of Tennessee and can be used to host institution data. UTHSC will only sanction the storage of FERPA-protected information, Protected Health Information (PHI), or other materials and information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the Microsoft 365 environment if the account(s) storing and accessing the information are enabled with two-factor authentication (DUO).

In addition to adhering to this policy and to UT's Acceptable Use of Information Technology Resources policy, users are responsible for frequently reviewing the Microsoft 365 Privacy Notice and Acceptable Use Policy that can be accessed from the Help menu to ensure ability and willingness to comply with all applicable terms. The University of Tennessee is not responsible for user compliance with these terms. Note that Microsoft 365 is not a Covered Program per UT Safety Policy SA0575 - Programs for Minors.​

For information on support for these Microsoft products, start with the Business Productivity Solutions webpage

If you have a need to store sensitive/protected data or want more information, please contact Cybersecurity at itsecurity@uthsc.edu or 901.448.1880.

Last Published: Jul 28, 2021