Conditions
You are about to access a computer system maintained or made available by Emory University and/or Emory Healthcare that is intended for authorized users only. Unauthorized use of this system is strictly prohibited and may be subject to criminal prosecution. By proceeding, your use of this system constitutes your acceptance of Emory’s IT Conditions of Use and other applicable policies and your consent to monitoring, retrieval, and disclosure of any information within this system for any purpose deemed appropriate by Emory University or Emory Healthcare, including law enforcement purposes and enforcement of rules concerning unacceptable uses of this system.
General Requirements
- I agree that my use of Office365 services for Emory must be conducted in manner which complies with all applicable laws, regulations, and Emory policies, procedures, and agreements. These include, but are not limited to the following:
- OneDrive for Emory Rules of Behavior
- Emory HIPAA Security and HIPAA Privacy Policies
- Emory IT Conditions of Use Policy
- Emory Smart Device Security Policy
- Emory Disk Encryption Policy
- Emory University Code of Conduct
- EHC Confidentiality Statement
- HIPAA Security and Privacy Rules (HIPAA)
- Family Educational Rights and Privacy Act (FERPA)
- I agree that I may be sanctioned and/or disciplined, up to and including termination, for noncompliance with or violations of applicable laws, regulations, or Emory policies and procedures.
- I agree that any client system or device (system) used to access Office365 services for Emory, including personally owned systems, must have appropriate security safeguards in place to protect the system from compromise or misuse. These include but are not limited to the following:
- The system and all applications on the system must be kept up-to-date with the most recent security updates and patches. This includes firmware updates for smart devices.
- The system must have anti-virus software installed and the software and virus signature files must be kept up-to-date. 1
- The system must be protected by personal firewall software at all times and the firewall must be configured to block all unsolicited inbound connections. 1
- I agree that I have been instructed on the proper selection, use, and protection of passwords, including but not limited to the following:
- My obligation to select a strong password
- Prohibitions against sharing my password or using the passwords of others
- Prohibitions against writing down passwords, or otherwise storing passwords in an insecure manner
- My obligation to report to Emory Information Security staff any suspected compromise or any use of my user identifier and password by other individuals
- I agree to promptly log and report any incidents of noncompliance with or violations of applicable laws, regulations, or Emory policies and procedures, as enumerated in #1 above, to Emory management, Emory’s Chief Information Security Officer, and the Emory University and/or Emory Healthcare Privacy Officers.
- I agree to cooperate fully with any authorized internal Emory investigations (e.g. security incident investigations, data breach investigations, fraud investigations, etc.) and routine auditing/monitoring activities. I acknowledge that this may require me to produce any Emory or personal systems, devices, or media to authorized Emory staff for examination and/or analysis required by the investigation.
- I agree that the term “sensitive Emory data” as used throughout this document refers to any Emory data that would be classified as “confidential” or “restricted” according to the data classification definitions documented in Emory’s Disk Encryption Policy.
Requirements for OneDrive for Business
- I agree that my OneDrive for Emory enterprise account is the only OneDrive account I am authorized to use for storing sensitive Emory data, and that my use of any other OneDrive accounts (e.g. Consumer branded version) for storing sensitive Emory data is prohibited.
- I agree that I am prohibited from using any similar Internet-based file sharing systems (such as Dropbox, Google Docs, etc.) for storing sensitive Emory data, unless the system has been formally approved by Library and Information Technologies executive leadership.
- I agree that I am prohibited from storing in OneDrive for Emory any data subject to the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA).
- I agree that OneDrive must not to be utilized as an official medical record.
- I agree that I am prohibited from downloading or syncing sensitive Emory data (including electronic Protected Health Information) stored in OneDrive to non-Emory systems or devices.
- I agree that any system I use to sync files with OneDrive must have reasonable and appropriate safeguards in place to protect sensitive Emory data residing on the device. These include but are not limited to the following:
- Systems used to store sensitive Emory data must not be shared with other users, unless appropriate access and audit controls are in place to ensure that sensitive data cannot be accessed inappropriately.
- Smart devices storing sensitive Emory data must maintain full compliance with Emory’s Smart Device Security Policy by implementing the following security safeguards:
- A non-trivial 4 digit or longer PIN
- A 15 minute inactivity timeout
- Data storage encryption
- Automatic data wiping after 10 consecutive failed login attempts
- Ability to remotely wipe the device
- Users are prohibited from modifying or disabling security safeguards (including jail breaking)
- Systems must utilize encryption to protect sensitive Emory data as required by Emory’s Disk Encryption Policy.
- I agree that upon my separation, termination, or non-affiliation with Emory, I must delete any and all sensitive Emory data stored on any personal systems and/or media devices or otherwise in my possession, and will provide written confirmation upon request.
- I agree that the collaborative sharing functions within OneDrive require that I take additional precautions to adequately protect sensitive Emory data shared with others via these mechanisms. Additional required safeguards include but are not limited to the following:
- Sensitive Emory data may only be shared with authorized individuals via uniquely identifiable OneDrive accounts that are associated with an official Emory email address or an official institutional email address at their current place of employment or affiliation. Sharing sensitive Emory information with individuals via OneDrive accounts associated with personal email accounts is prohibited. For example, sharing sensitive Emory information with john.doe@emory.edu, john.doe@emoryhealthcare.org, orjohn.doe@employer.com would be acceptable while sharing information with john.doe@gmail.com or john.doe@yahoo.com would not be acceptable.
- Sharing Sensitive Emory data with group, departmental, or other shared accounts not associated with a single unique individual is prohibited. For example, sharing sensitive Emory information with a OneDrive account associated with the email address dept@emory.edu, dept@emoryhealthcare.org, or dept@company.com would not be acceptable.
- Sensitive Emory data may only be shared with individuals via uniquely identifiable OneDrive accounts that have been confirmed as being associated with the intended individuals.
- It is the responsibility of the individual sharing sensitive Emory data to maintain awareness of all individuals with whom sensitive Emory data has been shared and to review and modify as appropriate the permissions granted to these individuals, at periodic intervals no less frequent than every 6 months.
- Sensitive Emory data, including ePHI, proprietary research information, data, and other organizational information, may only be shared for research purposes with individuals who are covered by an appropriate research authorization or an IRB waiver of authorization for the research being conducted.
- Sensitive Emory data, including ePHI, proprietary research information, data, and other organizational information, may only be shared with external parties after coordinating with the appropriate Emory authorizing authority to ensure that the appropriate Data Transfer and other agreements are in place (e.g. Data Use Agreements, IRB waivers, patient HIPAA Authorizations, etc.) between Emory the external party. Instructions regarding the required Data Transfer Agreements can be found at the following locations:
Note: OneDrive for Emory must not be utilized for release of information to outside parties for the purpose of medical record access to third parties pursuant to a record release request.
- I agree that I have taken/retaken all appropriate HIPAA security and privacy training modules within the last 12 months.
- 1- This requirement does not apply to smart devices such as iPhones, iPads, and tablets running operating systems other than Windows and OS X.
Note: The OneDrive Rules of behavior may change at any time as needs evolve.
Requirements for Skype for Business
- Recordings of Skype for Business sessions that include sensitive data, such as ePHI, must be stored in locations approved for such data (e.g. OneDrive, Emory Box, Trusted Storage).
- Chat sessions or audio/video sessions that contain ePHI must be conducted with other Skype for Business users. You are prohibited from including consumer Skype users
Note: The Skype for Business Rules of behavior may change at any time as needs evolve.