Sign in to myUHN Patient Portal

Office 365 Best Practices

The Office 365 Best Practices provides guidelines for using the suite of Office 365 services, including Outlook and Skype for Business, in a manner that ensures that protection of personal health information (PHI) and other sensitive information owned or observed by UHN.


UHN has the right to monitor, log, and audit all access to all aspects of UHN’s Office 365 environment, whether it is accessed on or off UHN premises or via a UHN or non-UHN computing or mobile device. You will be held accountable for any misuse of Office 365.

Always:

  • Comply with all UHN policies when using Office 365 on or off UHN premises such as UHN's Email Policy and the Privacy Policy.
  • Never allow another person to use your credentials.  
  • Clear the browser's temporary files when accessing your e-mail from a non-UHN device.
    For instructions on clearing your browser's temporary folders, please review this online tutorial.
  • Log out of Office 365 and close the browser (e.g., Google Chrome, Internet Explorer, Firefox, etc.) to complete the sign-out process when accessing Office 365 from a shared UHN device, or any non-UHN device.
               

Never:

  • Save your password on any public or shared device (e.g., by selecting "Keep me signed in" or saving the password in the browser).

 

Always

  • Be aware of “shoulder surfing”, that is, people looking over your shoulder, as this could lead to a breach of PHI or other sensitive information.

Never

  • Access Office 365 from a publicly-shared device or Wi-Fi network unless absolutely necessary. If it is necessary for you to do so, change your login password the next time you log into a UHN device.
    To learn more about resetting your password, please visit our Email Resources page.
  • Access e-mails that contain PHI or other sensitive information in an area where unauthorized individuals can view the information (e.g., cafés, public transit, and other non-private settings).
  • Leave a device remotely connected to Office 365 unattended in a public place, or in any private area in which unauthorized individuals could gain access to the device. 

Always

  • Inform all participants if the call is being recorded, even if Skype displays a message that the call is being recorded.
  • If another user is recording the call and should not be, either request and confirm the record functionality be turned off. If you are unsure in any way, you may disconnect the call.
  • When interacting with a non-UHN User, the UHN User should initiate the contact.
  • Follow existing clinical documentation policies and procedures to note clinically relevant conversations about patients in EPR.

Never

  • Use Skype for conversations with patients unless you have received approval from the Enterprise Privacy Office.
  • Use Skype for discussing PHI unless you have received approval from the Enterprise Privacy Office.
  • Add External Contacts to your Skype Contacts list unless:
  • The User is from a federated organization
  • The invitation is sent to the non-UHN User via the UHN webclient
  • You have the approval of the Enterprise Privacy Office.

Always

  • Delete emails that contain PHI from your Outlook mailbox once you have documented the contents in EPR.
  • Follow the UHN Email Usage Policy (1.40.014).

Never:

  • Use your Outlook mailbox as a way to store information containing PHI.
  • Open or download files or attachments that you reasonably believe to contain PHI or other sensitive information onto an unencrypted device, public device, or shared non-UHN device.
         NOTE: In some browsers, opening an attachment will cause it to automatically download.
  • Save e-mails or attachments containing PHI to your hard drive, even if it is encrypted. 

Examples of privacy breaches and security incidents include:

  • Unauthorized access or disclosure of PHI or other sensitive information through Office 365
  • Attempts (either failed or successful) to gain unauthorized access to Office 365
  • Virus or malware infection on a mobile or computing device used to access Office 365
  • Compromised credentials (i.e., another individual knows your password)

Always:

  • Immediately report suspected or confirmed privacy breaches or security incidents to your manager/supervisor, or using the Incident eForm.
  • Provide your full cooperation with any privacy or information security incident investigation.
  • Ask the Privacy or Security Office if you’re not sure!