Skip to Main Content
Sign in to myUHN Patient Portal

The O365 Best Practices

Main Page Content

​The Office 365 (O365) UHN Privacy and Information Security Best Practices​ provide guidelines for using the suite of O365 services, such as Outlook and Skype for Business, are used in a manner that ensures that protection of personal health information (PHI) and other sensitive information owned or observed by UHN.

  • Comply with all UHN policies when using O365 on or off UHN premises. This includes UHN's Email Policy and the Privacy Policy.
  • Log out of Office 365 and close the browser (e.g., Google Chrome, Internet Explorer, Firefox, etc.) to complete the sign-out process when accessing Office 365 from a shared UHN device, or any non-UHN device.
  • UHN may monitor, log, and audit access to any aspects of UHN's O365 environment to ensure compliance with its policies. 
  • You should clear your browser's temporary files when accessing your email from a non-UHN device.
    For instructions on clearing your browser's temporary folders, please review this online tutorial
  •                             Never:
    • Allow another person to use your credentials (e.g. Your ID and password)
    • Save your password on any public or shared device (e.g., by selecting "Keep me signed in" or saving the password in the browser).


  • Be aware of “shoulder surfing” - people looking over your shoulder - as this could lead to a breach of PHI or other sensitive information.                 
  • Accessing the O365 Dashboard from a publicly-shared device (eg. hotel or library computer) or public Wi-Fi network (eg. Starbucks, mall, hotel Wi-Fi).
  • If it is necessary for you to do so, change your login password the next time you log into a UHN device on a private network, such as your personal Wi-Fi or on the UHN network.
  •     To learn more about resetting your password, please visit our Email Resources page.
  • Access emails that contain PHI or other sensitive information in an area where unauthorized individuals can view the information (e.g., cafés, public transit, and other non-private settings).
  • Leave a device remotely connected to any O365 applications unattended in a public place, or in any private area in which unauthorized individuals could access to the device. 
  • When interacting with a non-UHN User, the UHN User should initiate the contact. Schedule and initiate the call using Outlook, where the Skype web link was sent, rather than making impromptu calls with Skype.
  • Inform all participants if the call is being recorded, even if Skype displays a message that the call is being recorded.
  • If another user is recording the call and should not be, either request and confirm the record functionality be turned off. If you are unsure in any way, you may disconnect the call.
  • Add non-UHN contacts to your External Contacts list to reduce the information they can see about you.
  •     To learn how to do this, follow this link: Adding an External Contact in Skype for Business.
    • Use Skype for conversations with patients or discussing PHI unless you have received approval from the Enterprise Privacy Office. This includes using Skype to talk, share your screen or instant message.               
    •      NOTE: If approved to use Skype for discussing PHI, be sure to following existing clinical documentation procedures to note clinically relevant conversations in EPR.
  • Delete emails when no longer needed.
  • If necessary, only send emails containing PHI to addresses found in the Global Address List (GAL).
  • Follow the UHN Email Usage Policy (1.40.014).
  • Provide your password or Multi-Factor Authentication codes to others.
  • Use your Outlook mailbox as a way to store information containing PHI.
  • Open or download files or attachments that you reasonably believe to contain PHI or other sensitive information onto an unencrypted device, public device, or shared non-UHN device.
         NOTE: In some browsers, opening an attachment will cause it to automatically download.
  • Save emails or attachments containing PHI to your hard drive, even if it is encrypted. 
As part Office 365 (O365), you now have the ability to a profile picture to your email and Skype for Business accounts. While this is not mandatory, we do encourage staff to upload photos as it can be useful to see who you are collaborating with.
When selecting a photo, please be mindful that this is a professional, workplace environment, and profile pictures should reflect that.

See below for guidelines to keep in mind when uploading your profile picture:

  • Use a recent photo from the past 2-3 years.
  • Headshots only, looking straight into the camera, similar to a passport photo.
  • Photos must be in colour, in focus and of good quality.
  • No props (i.e. no hats, sunglasses, etc.)
  • Ensure that backgrounds are uncluttered and there is no one else in the photo. (i.e. do not include other people or animals)
  • Patients and patient-related material cannot appear anywhere in the photo. If your photo is taken on UHN premises, please check for patient-related material in the background, on computer screens, and on lab materials such as scans or test tubes.


Examples of privacy breaches and security incidents include:
  • Unauthorized access or disclosure of PHI or other sensitive information through O365 applications.
  • Attempts (either failed or successful) to gain unauthorized access to a UHN account through O365 applications. 
  • Virus or malware infection on a mobile or computing device used to access O365 applications.
  • Compromised credentials (i.e., another individual knows your password).
  • Immediately report suspected or confirmed privacy breaches or security incidents to your manager/supervisor, or using the Incident eForm.
  • Keep your Multi-Factor Authentication codes to yourself when verifying using the text message or mobile app option.
  • Provide your full cooperation with any privacy or information security incident investigation.
  • Ask the Privacy or Security Office if you’re not sure!