ChatGPT Security Standard

This knowledge base article summarizes approved use, licensing requirements, and information security expectations for ChatGPT use by MU Health Academic users.

This knowledge base article outlines approved use, licensing requirements, and information security restrictions for ChatGPT use by MU Health Academic users. Only the ChatGPT version licensed through University of Missouri procurement and administered by UMKC may be used, and all use must comply with UM procurement agreements and MU Health Care (MUHC) information security policies. The article defines strict data restrictions prohibiting the entry, upload, or generation of DCL‑4 data—including protected health information (PHI)—and describes limitations on features, connectors, agents, and code use. It also identifies required approvals, management consultation expectations, and Information Security review processes to ensure ChatGPT is used responsibly and in compliance with institutional standards.

Verify you’re using the correct version of ChatGPT licensed via UM procurement and administered by UMKC (see below for purchasing information).

• Only use products that are covered by the UM Procurement licensing agreement.
• Data Restrictions

  • Do not enter or upload DCL-4 data, including, but not limited to protected health information (PHI) and social security numbers into ChatGPT.

  • Do not enter or upload any health information, including de-identified data. 

    • De-Identified Data Sets must be certified by MUHC Information Security, per MUHC policy. 

    • To do so, please submit a request here: https://tdx.umsystem.edu/TDClient/52/MUHCInfoSec/Requests/ServiceCatalog

  • Prompts may not include DCL-4 data (such as patient names, medical record numbers, social security numbers, date of birth, date of procedure/treatment).

  • Users may not prompt ChatGPT to intentionally access or return DCL-4 data.

• Do not use or enable default and/or 3rd party connectors or apps, unless you have documented approval from MUHC Information Security.
  • Including the OneDrive connector.
  • To request a review for additional features, please submit a request here: 

    To do so, please submit a request here: https://tdx.umsystem.edu/TDClient/52/MUHCInfoSec/Requests/ServiceCatalog.

• Do not use ChatGPT to share data, including chat data, or uploaded data (e.g., via Agents).

• Do not use new features unless you confirm it has been reviewed and approved. 

  • Agentic ChatGPT Browser is not an approved tool for use at the University of Missouri and should not be utilized for institutional or research activities.

• Employees should consult with their manager to ensure they are interpreting and applying ChatGPT-generated output appropriately.

• Use of code generated by ChatGPT must be discussed with MUHC Information Security prior to execution. (New requirement for department development code is being proposed.)

• ​MUHC Information Security - Risks and Considerations when using AI Services and AI Projects.docx

• https://www.umsystem.edu/ums/is/infosec/classification-definitions