About IU's research cyberinfrastructure and HIPAA alignment
At Indiana University, many of the systems and services provided by the Research Technologies division of UITS are managed using standards-based data security practices that make it possible (with proper precautions) for researchers to handle and store electronic protected health information (ePHI) and other sensitive data regulated by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. These systems and services are designated "HIPAA-aligned" and not "HIPAA-compliant", because the latter term is an official designation applicable only to certified US federal agencies.
IU's HIPAA alignment is based on IT management processes compatible with security best practices standards, specifically National Institute of Standards and Technology (NIST) Special Publication 800-53, as recommended by US Department of Health and Human Services, which oversees HIPAA regulation. IU's HIPAA alignment process involved an eighteen-month effort in 2007 and 2008, overseen by a committee representing the IU Office of Research Administration (Compliance) and the IU School of Medicine (IUSM). The Office of Research Administration provided a formal memorandum expressing its confidence in IU's ability to protect data for research projects involving ePHI.
Important: Although UITS HIPAA-aligned resources are managed using standards meeting or exceeding those established for managing institutional data at IU, and are approved by the IU Office of the Vice President and General Counsel (OVPGC) for storing research-related ePHI, they are not recognized by the IU Committee of Data Stewards as appropriate for storing other types of institutional data classified as "Critical" that are not ePHI research data. To determine which services are appropriate for storing sensitive institutional data, including ePHI research data, see Comparing supported data classifications, features, costs, and other specifications of file storage solutions and services with storage components available at IU.
The UITS Advanced Biomedical IT Core (ABITC) provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing ePHI research data. If you need help or have questions about managing HIPAA-regulated data at IU, contact the ABITC. For additional details about HIPAA compliance at IU, see HIPAA & ABITC and the Office of Vice President and General Counsel (OVPGC) HIPAA Privacy & Security page.
For more, see:
- What are my responsibilities when using UITS systems for work with electronic protected health information?
- What services does IU provide for researchers working with ePHI data?
Last modified on April 09, 2014.