Copilot Interim Standard and Update

Overview

UPDATE: (09/17/2025) Copilot is being reviewed by MUHC Information Security and has been approved for a limited scope of users while we develop policies, procedures and standards. While this article was created for MUHC, it contains helpful information for all users interested in using Copilot.

Purpose: To provide an update and interim standard until the official standard is published.

Scope: The intended audience for the update is MUHC workforce members and the interim standards apply to all MUHC workforce members.

Detailed Information

Definitions:

Product

Description

Requires License

License Information

Notes

Copilot (Personal)

Free version of Microsoft’s AI assistant, accessible via the web, Windows, macOS, iPadOS, and mobile apps.

N

None

Do not use.

Copilot (Work)

aka

Microsoft 365 Copilot Chat

Like Standard Copilot but with enterprise protections.

Y (Free)

UM Enterprise

Copilot (Work) only has access to data entered and files that are uploaded or attached to Copilot.

Microsoft 365 Copilot

Microsoft’s AI assistant is integrated with M365 applications (Outlook, Teams, OneDrive, SharePoint).

 

Requires purchase through MU Sales.

Y (Cost)

UM Enterprise

Approved for DCL-1 to DCL-3.

 

Work Tab: Microsoft 365 Copilot has access to what the user has access to.

 

Web Tab: Information in prompt may be exposed to the internet.

Sources:

Warning: Microsoft changes the names of their product lines often and refers to a product with different names.

Interim Appropriate Use Standard for MU Health Care workforce members
  • Verify you’re using the correct version of Copilot (see below).
  • MUHC workforce members may only use products that are covered by UM enterprise licensing.
  • Data Restrictions
    • Do not enter or upload DCL-4 data, including, but not limited to protected health information (PHI) and social security numbers into Copilot.
    • Prompts may not include DCL-4 data (such as patient names, medical record numbers, social security numbers, date of birth, date of procedure/treatment).
    • For Microsoft 365 Copilot (i.e., paid subscriptions) users, they may not prompt Copilot to intentionally return DCL-4 data.
  • Do not use or enable 3rd party connectors or apps, unless you have documented approval from MUHC Information Security.
  • Do not use Copilot to share data, including chat data, or uploaded data (e.g., via Agents).
  • Do not use new features unless you confirm it has been reviewed and approved. (See below for approved features.)
  • Employees should consult with their manager to ensure they are interpreting and applying Copilot-generated output appropriately.
  • Use of code generated by Copilot must be discussed with MUHC Information Security prior to execution. (New requirement for department development code is being proposed.)
How to Verify you’re using the correct version
  1.  

Open https://copilot.microsoft.com
  1.  

If you see the screen below, select Work. Do not use Personal.

Uploaded Image (Thumbnail)
  1.  

Once logged in, look at the top right-hand corner for a green shield icon with a checkmark inside. Hover over the icon and you should see “Enterprise data protection applies to this chat”.

Uploaded Image (Thumbnail)
  1.  

Check the bottom left corner of the website for your name. If you click on it, it will show you your UM System account.
  1.  

You’re using the correct version if these two items are met:

  • You see the green shield icon with check mark.
  • You are logged in with your UM System account.
Print Article