Purpose

This Memorandum updates and informs CMS stakeholders of the best practices and security guidance for the use of Personally Identifiable Information/Protected Health Information (PII/PHI) and agency sensitive information when using CMS approved collaboration tools, specifically MS Teams/Zoom and Box.

What’s changed

At CMS the use of collaboration tools to conduct the agency’s mission has increased. To meet these increased needs, several tools have been introduced for use within the CMS environment. CMS employees and contractors must use care to ensure data is protected and secure while using these tools.

Guidance

MS Teams/Zoom are video conferencing tools in use at CMS. When using CMS based, not contractor based, MS Teams or Zoom tools, PII/PHI may be displayed. When displaying and discussing PII, PHI, and agency sensitive information users must:

• Ensure all members of the call are identified and known to the organizer
• Ensure all members of the call have a need to know the information being presented
• Refrain from recording to the maximum extent possible
• Use caution when using transcription or Microsoft Copilot to summarize meetings
• Remember that MS Teams meeting chats are persistent, so anyone who has an invitation to the meeting has access to the chat, even after they leave the meeting.

Box continues to provide a secure platform for sharing and collaborating on content internally and externally. When using Box:

• Inviting collaborators through named email addresses is preferred.
• CMS employees are permitted to store and share PII/PHI using Box, following existing data handling policies.

Microsoft Copilot in the M365 Suite is now integrated across multiple Microsoft 365 applications, including Word, Excel, Outlook, PowerPoint, and OneNote. While Copilot can increase productivity through AI-assisted content creation, summarization, and analysis, its use with sensitive information must adhere to CMS security protocols:

• Only use the CMS instance of Microsoft tools. All others have not been approved for use with CMS information.
• Limit inputting, processing, or analyzing PII/PHI or other sensitive agency information in Copilot prompts or responses to only the minimum necessary.
• Be aware that Copilot activity may rely on cloud-based services, and output could persist or be accessible beyond the user’s immediate session.
• Treat all Copilot-assisted content as unofficial until reviewed and approved in accordance with CMS content and data validation procedures.
• Exercise caution when using Copilot to generate or summarize content for emails, documents, or presentations involving sensitive subjects.

Contact

If you have questions about this guidance, contact the CISO Team. 

• Email: CISO@cms.hhs.gov
• CMS Slack: #ispg-sec_privacy-policy

This memorandum does not supersede any requirements of government law, rule, or regulation.