O365 Email and File Security

December 2017

NIU uses Microsoft Office 365 as its official form of email communication.  It was selected, in part, because it is suitable and approved for transmitting and storing confidential information.  Office 365 is the only email system on campus that is so approved.

Office 365 can be trusted to reliably store and transmit NIU’s confidential data for three primary reasons:

  1. it has been validated technically against the provisions and requirements of the body of regulations with which NIU must comply;
  2. the vendor has been assessed to verify its compliance with the same set of regulations and security controls; and 
  3. NIU has appropriate legal protections in place with Microsoft above and beyond our standard contract that protect NIU in the event of a breach of our data.

Members of the campus community often ask whether Office 365 email is safe to use when transmitting healthcare information or other types of confidential information to people outside of NIU.  The HIPAA Privacy Rule expressly allows healthcare providers to communicate electronically with their patients provided that they apply reasonable safeguards when doing so. DoIT has approved Office 365 email for this type of use under the following simple guidelines:

  1. As with any type of data, transmitted electronically or via fax or paper, the recipient must be authorized to receive and view the data. 
  2. The recipients must be evaluated to determine that they can handle and store our data with an appropriate level of care, as determined by the type of data sent.

If the recipient is simply an individual person, such as a student receiving their own healthcare records at their private Gmail address, the recipient should give consent for the transmission of their data to a private account.

If the recipient is an outside agency, such as SURS or a local healthcare provider, the university must do a vendor evaluation to assess the readiness and capability of that agency to handle NIU’s data.  This is the same degree of care we provide when selecting vendors for outsourced IT systems.  Details of this process can be discussed with DoIT's information security team by emailing infosec@niu.edu.


Using email encryption alone is not enough to make the transfer of confidential information safe.  Sending encrypted data to a person who is not authorized to see that data becomes a data breach under the law when that information is decrypted and viewed.  Sending encrypted data to an agency who does not affirmatively accept or cannot adequately protect NIU’s data is not an approved practice.

Where email encryption is desirable, however, NIU maintains an add-on product to the Office 365 system called Virtru, which is simple and effective to use and helps protect data in transit. In 2018, NIU will move to single message encryption within Office 365 itself.

Email is preferred over fax as a more secure option for the transmission of confidential information.  It is more traceable, easier to protect, and is less likely to be seen than faxes or paper that sit on desks and in outboxes.  


Encryption in the Microsoft Cloud (pdf)