Overview
UPDATE: (09/17/2025) Copilot is being reviewed by MUHC Information Security and has been approved for a limited scope of users while we develop policies, procedures and standards. While this article was created for MUHC, it contains helpful information for all users interested in using Copilot.
Purpose: To provide an update and interim standard until the official standard is published.
Scope: The intended audience for the update is MUHC workforce members and the interim standards apply to all MUHC workforce members. This article provides guidance for Health Academic units; School of Medicine, School of Nursing and College of Health Sciences.
Detailed Information
Definitions:
|
Product
|
Description
|
Requires License
|
License Information
|
Notes
|
|
Copilot (Personal)
|
Free version of Microsoft’s AI assistant, accessible via the web, Windows, macOS, iPadOS, and mobile apps.
|
No
|
None
|
Do not use.
|
|
M365 Copilot (Work)
aka
Microsoft 365 Copilot Chat
|
Like Standard Copilot but with enterprise protections.
|
Yes (University provided)
|
UM Enterprise requires SSO login
username@umsystem.edu
|
Approved for DCL-1 to DCL-3.
Copilot (Work) only has access to data entered and files that are uploaded or attached to Copilot.
|
|
Microsoft 365 Copilot
|
Microsoft’s AI assistant is integrated with M365 applications (Outlook, Teams, OneDrive, SharePoint).
Requires purchase through MU DoIT Software Sales- Copilot.
|
Yes
(Additional Annual Cost)
|
UM Enterprise requires
SSO login
username@umsystem.edu
|
Approved for DCL-1 to DCL-3.
Work Tab: Microsoft 365 Copilot has access to what the user has access to.
Web Tab: Information in prompt may be exposed to the internet.
|
Sources:
Warning: Microsoft changes the names of their product lines often and refers to products with different names.
|
Interim Appropriate Use Standard for MU Health Care workforce members
|
- Verify you’re using the correct version of M365 Copilot (see below).
- MUHC workforce members may only use products that are covered by UM enterprise licensing.
- Data Restrictions
- Do not enter or upload DCL-4 data, including, but not limited to protected health information (PHI) and social security numbers into Copilot.
- Prompts may not include DCL-4 data (such as patient names, medical record numbers, social security numbers, date of birth, date of procedure/treatment) Personally Identifiable Information (PII).
- For Microsoft 365 Copilot (i.e., paid subscriptions) users, they may not prompt Copilot to intentionally return DCL-4 data.
- Do not use or enable 3rd party connectors or apps, unless you have documented approval from MUHC Information Security.
- Do not use Copilot to share data, including chat data, or uploaded data (e.g., via Agents).
- Do not use new features unless you confirm it has been reviewed and approved. (See below for approved features.)
- Employees should consult with their manager to ensure they are interpreting and applying Copilot-generated output appropriately.
- Use of code generated by Copilot must be discussed with MUHC Information Security prior to execution. (New requirement for department code development is being proposed.)
|
|
How to Verify you’re using the correct version
|
-
|
Open https://copilot.microsoft.com
|
-
|
If you see the screen below, select Work. Do not use Personal.
 |
-
|
Log in with username@umsystem.edu, view the top right-hand corner for a green shield icon with a checkmark inside. Hover over the icon and you should see “Enterprise data protection applies to this chat”.
 |
-
|
Check the bottom left corner of the website for your name. If you click on it, it will show you your UM System account.
|
-
|
You’re using the correct version if these two items are met:
- You see the green shield icon with check mark.
- You are logged in with your UM System account.
|