Yale’s Clarity AI platform has been reviewed for use by the Yale Information Security Office, in consultation with the Yale Clarity team and our vendors, FoundationaLLM and Microsoft. Clarity is appropriate for use with low, medium and most high-risk data, with the notable caveat for Electronic Protected Health Information (ePHI). There is restricted access for use of ePHI in Clarity via specified agents. Should users of the Clarity platform wish to enter any content that contains ePHI, or use any documents that contain ePHI, they must submit an access request. Please visit the Health Sciences AI Toolkit for more information.
In addition to restricted ePHI use in Clarity, users with external obligations affecting their data, such as data use agreements, should make sure their use of Clarity is appropriate. NIST 800-171 data is an example of data with an external obligation that cannot be used in Clarity. Users should be aware of those requirements and whether the data should be used. Data Use Agreements (DUAs) are contractual agreements between the university and a third party to gain access to data sets. If your data is covered by a DUA, confirm that your use of Clarity with that data is appropriate.
For information on Yale’s data classification process, including specific examples, see: Data Classification Guidelines | Yale Information Security
For information on HIPAA and ePHI at Yale, see: Yale HIPAA Website and Health Sciences AI Toolkit
For information on Data Use Agreements, see: Data Use Agreements (DUAs)
For information on Clarity’s Privacy Policy, see: Clarity Privacy Policy.