I'm working for a nonprofit that mainly utilizes M365 Business Basic licenses for services like Exchange and Teams. Management has tasked me with enabling Copilot across our workstations, but I'm concerned about maintaining HIPAA compliance. While our M365 tenant is compliant, I've learned that Copilot Chat's web queries don't adhere to the same data protection standards, which poses a risk if staff inadvertently upload documents containing PHI. I've discovered you can turn off web queries for specific users and groups, but even after implementing this policy, I'm still able to execute web queries after 24 hours. A recent meeting with a Microsoft salesperson revealed that the Copilot Chat has a 'work' and 'web' toggle, but the Copilot Add-on required for this is priced at $30 per user per month, which management won't approve. Are there other solutions out there or has anyone found a way to use M365 Copilot Chat while staying HIPAA compliant?
5 Answers
You're probably going to need to bite the bullet and pay for the add-on unless management decides to find another workaround. Microsoft likely designed it this way on purpose to encourage compliance through paid features.
This situation really emphasizes why you need that $30 license. It's a critical component for maintaining compliance given the potential data exposure.
Isn't it better just to restrict access to Copilot publicly and remind everyone to use the built-in one in M365?
If management is against the fee, that could save you the hassle of additional audits down the line. Sometimes, doing less can make things simpler for you!
You can block the public version of Copilot to use the signed-in version instead, which doesn't leverage your data for learning, but be careful! A signed-in version can still initiate web-based queries that bypass your data protections.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures