Using Large Language Models (LLMs) Responsibly
Understanding Data Security Levels at Northwestern
Northwestern University classifies data into four levels based on sensitivity:
- Level 1: Public data (e.g., published works already available online)
- Level 2: Internal data (e.g., unpublished research, draft manuscripts)
- Level 3: Confidential data (e.g., Protected Health Information [PHI])
- Level 4: Highly restricted data (e.g., government-classified information)
Northwestern definitions:
Get a refresher on where you can safetly store PHI.
What Can Be Used With Public LLMs?
Only Level 1 (public) data should be entered into publicly available LLMs such as ChatGPT, Claude and Gemini.
These tools may retain input data, share it with third-party providers or use it for model training, posing risks even if the data doesn't appear sensitive.
Feinberg School of Medicine Policy
Feinberg medical students must follow the school's Use of Generative Artificial Intelligence Tools Policy.
Approved Tools for Higher-Sensitivity Data
Microsoft Copilot
- May be used for Level 2 data when signed in with your @northwestern.edu or @nm.org account
- Access online or via the Copilot tab within your Outlook email; you will know you are securely protected when you see a green shield in the upper righthand corner
- Review Northwestern University's guidance on Generative AI tools
NM Chat
- NM Chat is the only approved tool for handling minimally necessary PHI (Level 3)
- Must be accessed via Citrix or VPN
- Access online
- Review the official Northwestern Medicine policy (log-in required)
Research Use & IRB-Approved Projects
For IRB-approved research involving sensitive data:
- Special accounts can be provisioned to use LLMs via Microsoft Azure
- Requires Limited Access Review and additional permissions
- Azure Access for Research Projects
- Consider local models on your university- or NM-managed device
LLM Tool Comparison for Sensitive Data Use
The table below shows LLM tool comparison for sensitive data use and was created by Catherine Gao, MD.
| Tool | Access Requirements | Can Input Minimal Necessary PHI/PII? | Data Level Allowed |
|---|---|---|---|
|
Public LLMs (ChatGPT, Gemini, Claude, etc.) |
Publicly accessible |
No |
Level 1 only (Public data) |
|
Microsoft Copilot (NU) |
Sign in with @northwestern.edu |
No |
Level 2 (Internal data) |
|
Microsoft Copilot (NM) |
Sign in with @nm.org |
No |
Level 2 (Internal data) |
|
NM Chat |
Sign in via Citrix/VPN |
Yes |
Level 3 (PHI/PII) |
|
Fully Local Models |
Depends on configuration and approval |
It depends |
Case-by-case (requires review) |
|
Microsoft Azure OpenAI APIs |
Special research account + IRB + Limited Access Review |
It depends |
Case-by-case (requires review) |