O365 Email Encryption and Use

NIU uses Microsoft Office 365 as its official form of email communication.  It was selected, in part, because it is suitable and approved for transmitting and storing confidential information.  Office 365 is the only email system on campus that is so approved.

Office 365 can be trusted to reliably store and transmit NIU’s confidential data for three primary reasons:

  1. It has been validated technically against the provisions and requirements of the body of regulations with which NIU must comply.
  2. The vendor has been assessed to verify its compliance with the same set of regulations and security controls. 
  3. NIU has appropriate legal protections in place with Microsoft above and beyond our standard contract that protect NIU in the event of a breach of our data.

Office 365 uses multiple levels of encryption that all work together to keep our data protected.

  1. Encryption at rest using BitLocker technology.
    1. This is the same technology that is deployed to DoIT supported Windows computers.
  2. Encryption in transit using certificate-based TLS.
    1. This protects your connection, data transfer, and login process to O365.
  3. Optional Email specific message encryption
    1. This is something you must select when sending restricted information to external recipients or when we want to add additional security to your email.

To learn how to use email encryption see the “How to” and “Email Encryption FAQ” links in the side bar.

Members of the campus community often ask whether Office 365 email is safe to use when transmitting healthcare information or other types of confidential information to people outside of NIU. The HIPAA Privacy Rule expressly allows healthcare providers to communicate electronically with their patients provided that they apply reasonable safeguards when doing so. DoIT has approved Office 365 email for this type of use under the following simple guidelines:

  1. As with any type of data, transmitted electronically or via fax or paper, the recipient must be authorized to receive and view the data. 
  2. The recipients must be evaluated to determine that they can handle and store our data with an appropriate level of care, as determined by the type of data sent.

If the recipient is simply an individual person, such as a student receiving their own healthcare records at their private Gmail address, the recipient should give consent for the transmission of their data to a private account.

If the recipient is an outside agency, such as SURS or a local healthcare provider, the university must do a vendor evaluation to assess the readiness and capability of that agency to handle NIU’s data.  This is the same degree of care we provide when selecting vendors for outsourced IT systems.  Details of this process can be discussed with DoIT's information security team by emailing infosecurity@niu.edu.

Using email encryption alone is not enough to make the transfer of confidential information safe.  Sending encrypted data to a person who is not authorized to see that data becomes a data breach under the law when that information is decrypted and viewed.  Sending encrypted data to an agency who does not affirmatively accept or cannot adequately protect NIU’s data is not an approved practice.

Email is preferred over fax as a more secure option for the transmission of confidential information.  It is more traceable, easier to protect, and is less likely to be seen than faxes or paper that sit on desks and in outboxes.  

Encryption in the Microsoft Cloud (PDF)

Back to top