About dedicated file storage services and IT services with storage components appropriate for sensitive institutional data, including research data containing protected health information

On this page:


Overview

At Indiana University, UITS provides students, faculty, and staff with a variety of dedicated file storage services and several information technology services that feature storage components. Some of these services are suitable for storing sensitive institutional data, and some are not. Additionally, some services are baseline IT services (requiring no additional user fees), and some are fee-based services billed directly to the end user (an IU department or school).

Following is information to help you understand your legal responsibilities when working with institutional data at IU and identify which UITS services are appropriate for storing various types of institutional data. When working with sensitive institutional data, particularly data that contain protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you must make sure the IT services you're using meet the strict data management standards required to protect the security and privacy of your data.

Classifications and management standards for institutional data at IU

Protecting the privacy and security of digital information is a leading concern for information technology users and providers alike. Federal and state laws regulate how institutions, such as businesses, hospitals, and universities, manage the data they collect from the individuals they serve. Federal agencies have funding policies that include stringent requirements for securely managing research data collected from human subjects. Certain types of data, including financial, legal, academic, and health care data, are considered sensitive because misusing them can lead to identity theft, personal financial loss, invasion of privacy, or other forms of unauthorized access.

At Indiana University, official Classification levels of institutional data are defined in Management of Institutional Data (DM-01). Sensitive institutional data elements are classified as Restricted or Critical, and are protected by federal and state laws, and by IU policy.

IU's official data management standards cover all classifications of institutional data, but especially stringent standards apply to work that involves institutional data classified as Restricted or Critical. These standards include rules for managing access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing all types of institutional data elements (not just those that are considered sensitive) and sharing institutional data with third parties (see Disclosing Institutional Information to Third Parties (DM-02)).

These standards apply to all users and administrators of IU information technology resources. Every individual who works with sensitive institutional data at IU is responsible for knowing and adhering to IU's official data management standards to help prevent inappropriate disclosures of personal or confidential information that, according to federal and state laws, can result in criminal or civil penalties.

For more, see:

If you have questions about the classifications of institutional data, contact the appropriate Data Steward .

To determine the approved storage options based on the type of data, use the Data Sharing and Handling (DSH) tool, which provides specific guidance on where to store institutional data, and general guidance on sharing, disposal, and classification of institutional data.

Important considerations regarding protected health information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

Anyone working with data containing PHI at IU is legally responsible for protecting the privacy and security of that data in compliance with all applicable federal and state regulations (and university policies). UITS provides several systems and services that meet certain requirements established in the HIPAA Security Rule thereby enabling their use for work involving data that contain protected health information (PHI). However, using a UITS resource does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use certain UITS resources (as indicated in the Dedicated file storage services and IT services with storage components tables below) for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

If you have questions about securing HIPAA-regulated research data at IU, email securemyresearch@iu.edu. SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data; for more, see About SecureMyResearch. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.

Note:
In accordance with standards for access control mandated by the HIPAA Security Rule, you are not permitted to access data containing protected health information (PHI) using a group (or departmental) account. To ensure accountability and maintain appropriate levels of access control, all users must use an individual login for all work involving PHI.

Following are additional warnings pertaining to the use of Research Technologies systems:

  • UITS Research Technologies resources are not appropriate for handling data that are part of current, active patient treatment or service delivery (they are not medical devices that comply with regulations governing medical devices).
  • Using a Research Technologies resource does not fulfill your legal responsibilities (as noted above) for protecting the privacy and security of research data that contain PHI. Furthermore, any application (including operating systems) or service you deploy or administer on a Research Technologies resource does not automatically meet the standards required for work involving PHI.
  • You are legally responsible for securing the end-to-end flow of research data containing PHI as they pass from collection instruments to workstations, from workstations (via local area networks) to departmental servers, and from departmental servers (via the IU network) to UITS central systems. For more, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services.

Important considerations for federally funded research projects

The National Science Foundation (NSF) and National Institutes of Health (NIH) have specific policies governing the retention, dissemination, and sharing of research results. Proposals for NSF-funded projects require formal data management plans. NIH-funded projects must submit peer-reviewed journal manuscripts to PubMed Central (PMC) and include PMC reference numbers for those papers when citing them in proposals for further NIH support.

UITS Research Technologies can help researchers prepare data management plans and provide post-award grant support. For more, see Cyberinfrastructure facilities information and data management plan resources to help you prepare grant proposals.

Choose an appropriate storage solution

UITS offers several services appropriate for storing institutional data elements of various classifications. Use the tables below to compare key attributes of dedicated file storage services and IT services with storage components available at IU, so you can determine which services are suitable for storing your data. If you need help determining the most sensitive classification of institutional data you can store on any given UITS service, use the Data Sharing and Handling (DSH) tool.

Note:

According to Cyber Risk Mitigation Responsibilities (IT-28), all IU units must deploy and use IT systems and services in ways that vigilantly mitigate cyber risks (cybersecurity risks, security risks to physical systems, and risks arising from natural disasters or potential infrastructure failures), and recommends that all IU units use, to the greatest extent practicable, the secure facilities, common IT infrastructure, and enterprise services provided by UITS. For more, see:

Important:

Dedicated file storage services

Service Approved
for PHI
Approved
for FERPA
Most sensitive institutional data classification allowed (other than PHI) 1 Role-
based
access
control
Native
mobile
app
integration
Cross-
platform
Default
allotment
Maximum
file size
Inline
preview
Permanent
storage
Offline
sync
Backups Cost
Geode-Project
Project space for research teams
Yes 1 Yes Restricted Yes No Yes No
(direct-bill service)
8 EB
(limited by allocation)
No Yes No No Direct-bill
service 2
Google at IU My Drive
Individual file storage, not for institutional records or data needed by others at IU (non-institutional and non-departmental)  1
No Limited  2 University-Internal; some Restricted  3 Yes Yes Yes 5 GB 4 5 GB Yes Yes Yes
(Sync via Google Drive for desktop on a secure device) 5
No No fee
(baseline service) 6
Paid Google Shared Drives (paid Google option for restricted, critical, and PHI data)
Secure storage for individuals, departments, and committees working with institutional and departmental data, such as student, health, and research data. 1 Institutional storage request form 2
Yes Yes Critical 3 Yes Yes Yes Unlimited 5 TB Yes Yes Yes
(Sync via Google Drive for desktop on a secure device) 4
No No fee
(baseline service)
Microsoft OneDrive at IU
Individual file storage, not for institutional records or data needed by others at IU should you leave your position; typically accessed through Microsoft OneDrive at IU via Microsoft 365 or by mapping a drive in Windows 1
No Limited  2 University-Internal; some Restricted  3 Yes Yes Yes

5 TB (A5 license)

100 GB (A1 license)

250 GB Yes Yes Yes
(Sync via OneDrive on a secure device) 4
No No fee
(baseline service)
Microsoft at IU Secure Storage
For Restricted, Critical, and PHI data

Collaborative and individual storage for sensitive institutional data with additional security and administrative controls applied 1; select Restricted or Critical under "Intended use and data classifications" when submitting a request via the Institutional storage request form  2
Yes Yes Critical 3 Yes Yes Yes 25 TB 250 GB Yes Yes Yes
(Sync via OneDrive on a secure device) 4
No No fee
(baseline service)
OnBase
Secure electronic document storage
Yes 1 Yes Critical Yes Yes Yes Unlimited 2 GB 2 Yes Yes 3 No Yes No fee
(baseline service)
Scholarly Data Archive
Archival storage for research data
Yes  1 No Restricted Yes Web only Yes 50 TB 2 10 TB No Yes No No  3 No fee
(up to 50 TB)  4
Secure Share
Sharing critical data
Yes Yes Critical Yes Web only Yes 12 GB None No No  1 No No No fee
(baseline service)
Slate
High performance storage for research computation
Yes 1 Yes Restricted Yes No No 800 GB 2 10 TB No Yes No No No fee
(baseline service)
Slate-Project
High performance storage for data-intensive (Big Data) workflows
Yes 1 Yes Restricted Yes No No 15 TB 10 TB No Yes No No No fee 
(up to 15 TB) 2
Slate-Scratch
High performance temporary scratch space for data-intensive (Big Data) workflows
Yes 1 Yes Restricted Yes No No 100 TB 2 10 TB No No 3 No No 4 No fee
(baseline service)
TechSelect Critical Data Infrastructure
File storage for critical data
Yes Yes Critical Yes No Yes Unlimited Varies by
format
No Yes No Yes Direct-bill
service 1
TechSelect File Services
File storage for university data
No Yes Restricted Yes No Yes Unlimited Varies by
format
No Yes No Yes Direct-bill
service 1

IT services with storage components

Service Approved
for PHI
Approved
for FERPA
Most sensitive institutional data classification allowed (other than PHI) 1 Role-
based
access
control
Native
mobile
app
integration
Cross-
platform
Default
allotment
Maximum
file size
Inline
preview
Permanent
storage
Offline
sync
Backups Cost
Adobe Creative Cloud
Subscription-based collection of creative software (graphic design, video editing, photography, etc.)
No No University-internal No Yes Yes 100 GB 1 GB or
5 GB 1
Yes Yes Yes No No fee
(baseline service) 2
Adobe Document Cloud
Storage and sharing of PDF files in the cloud
No No University-internal No No Yes 100 GB 100 MB Yes Yes No No No fee
(baseline service) 1
Advanced Visualization Lab
Long-term storage for visualization data
Yes 1 No Restricted Varies by
service 2
No No Varies by
project
Varies by
system
Varies by
system
Varies by
system
No No 3 No fee
(baseline service)
Canvas
IU's learning management system, which includes standard tools for assignments, discussions, announcements, quizzes, syllabus, recording grades, etc.
No Yes Restricted Yes Yes Yes 4 GB
(Courses)

300 MB
(Groups)

1 GB
(Individuals)
2 GB Yes Yes No Yes No fee
(baseline service)
Confluence
Online collaborative environment for enterprise intranets, knowledge management, and documentation
No No University-internal Yes Yes Yes Varies by
project
244 MB Yes Yes No Yes No fee
(baseline service)
Data Services for Departments and Instruction
Database and web server storage for instruction
No No Public No Web only No 3 MB
(Oracle
and IIS)
Varies by
format
No No No Yes No fee
(baseline service)
Exchange
Email storage
No Yes University-internal 1 No Yes Yes 50 GB 50 MB Varies by
client
Yes Varies by
client
Yes No fee
(baseline service)
FireForm
Self-service form-building tool
Yes 1 Yes Critical Yes No
(responsive in browser)
Yes Unlimited 3 MB Yes Yes No Yes No fee
(baseline service)
Google Chat
Chat history storage
No No University-internal No Yes Yes Unlimited 1 TB No Yes 1
(on Google at IU My Drive for Google files shared in chat sessions)
No No No fee
(baseline service)
Intelligent Infrastructure
Virtual machine storage
Yes Yes Critical Yes No No 35 GB Varies by
operating
system
No Yes 1 No Yes 2 Direct-bill
service 3
IUanyWare
Cloud storage
No No Restricted Varies by
system
Yes Yes Varies by
system
Varies by
system
Yes Varies by
system
Varies by
system
Varies by
system
No fee
(baseline service)
Kaltura
Online video sharing
No Yes Restricted 1 Yes No Yes Unlimited None Yes No No Yes No fee
(baseline service)
Microsoft Teams Chat
Chat history storage
No Yes Restricted 1 Yes Yes Yes Unlimited 250 GB Yes Yes
(on Microsoft OneDrive at IU for files shared in chat sessions) 2
No No No fee
(baseline service)
Qualtrics
Online Survey and research tool
Yes Yes Critical Yes Yes Yes Unlimited 100MB Yes Yes Yes Yes No fee
(baseline service)
IU REDCap
Storage and sharing of tabular research data
Yes 1 No Public 2 Yes No Yes None 3 Varies by
number of
records collected
Records are
viewable
within IU REDCap
Yes No Yes No fee
(baseline service)
Research supercomputers
World-class research supercomputers with home directory space for code development and job scripts, and local scratch space for temporary storage of application data
Yes 1 Yes Restricted 2 Yes No No 100 GB 3 10 GB 4 No Yes
(home directories)

No 5
(scratch directories)
No Yes
(home directories)

No
(scratch directories)
No fee
(baseline service)
You do not have sufficient permission to view this document.
Collaboration and content management
Yes Yes Critical 1 Yes Yes
(native in browser)
Yes 5 GB 250 GB Office files Yes Yes
(Sync via OneDrive on a secure device) 2
Yes No fee
(baseline service)
Sitehost
Storage for web applications
No Yes Restricted Yes No Yes 2 GB
(Sitehost)

1 GB
(MySQL)
1 GB No Yes No Yes Direct-bill
service 1
Windows Hosting Environment
Storage for web applications
Yes Yes Critical Yes No Yes 10 GB None No Yes No Yes No fee
(up to 10 GB) 1
Notes:
The following notes are referenced in the tables above:
  • Most sensitive institutional data classification allowed (other than PHI):
    1. Some services approved for storing data containing PHI are not approved for storing other institutional data classified as Critical. Consequently, some HIPAA-capable systems have "Restricted" listed as the most sensitive institutional data classification allowed, even though they're capable of storing PHI (which is classified as Critical). If you need help determining the most sensitive institutional data classification allowed on any UITS service, use the Data Sharing and Handling (DSH) tool.
  • Geode-Project:
    1. If you have questions about managing HIPAA-regulated data at IU, email securemyresearch@iu.edu.

      This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

    2. For current fee information, see "Replicated Research Storage (Geode)" on UITS Rates for Direct-Bill Services.
  • Google at IU My Drive:
    1. Examples of appropriate individual files include resumes, CVs, professional development materials and records of completion, notes, and personal planning documents.
    2. Individual student assignments and coursework associated with Canvas integrations are permitted; administrative student records not related to classroom activities including full grade rosters should be stored in locations approved for institutional data such as the Microsoft Secure Storage and Google Secure Storage environments. For more, see Request institutional storage in Microsoft shared storage.
    3. Individual student assignments and coursework associated with Canvas integrations are permitted; administrative student records not related to classroom activities including full grade rosters should be stored in locations approved for institutional data such as the Microsoft Secure Storage and Google Secure Storage environments. For more, see Request institutional storage in Microsoft shared storage.
    4. See New storage limits.
    5. Devices must be secured according to IU's Mobile Device Security Standard (IT-12.1); contact your IT Pro for help determining whether your device is secure.

    6. Google at IU accounts are administered by UITS and are not related in any way to personal (non-IU) Google accounts. You should keep your personal (non-IU) Google account separate from your Google at IU account.
  • Google at IU Secure Storage:
    1. Examples of appropriate data include but are not limited to grades, employee home addresses, and personally identifiable information (PII) for research participants.
    2. IU faculty and staff can request Google Secure Storage by submitting the Institutional storage request form and selecting restricted or critical data classification. Google at IU accounts are administered by UITS and are not related in any way to personal (non-IU) Google accounts. You should keep your personal (non-IU) Google account separate from your Google at IU account.
    3. With the exception of credit card, payment card industry (PCI), and export-controlled research data, controlled unclassified information, and advancement data, such as donor gift agreements, wealth information, and detailed giving information.
    4. Devices must be secured according to IU's Mobile Device Security Standard (IT-12.1); contact your IT Pro for help determining whether your device is secure.

  • Microsoft OneDrive at IU:
    1. Examples of appropriate individual files include resumes, CVs, professional development materials and records of completion, notes, and personal planning documents. This is classified as University-internal with some Restricted for approved use cases (including Canvas integrations and student assignments). Shared storage is recommended for most uses cases involving institutional data because, if someone leaves the university without moving data from OneDrive to a shared storage location, the data will be lost. If you have specific use cases for OneDrive involving institutional data that would not pose a data loss issue, submit them to the Data Stewards for consideration at iudata@iu.edu.
    2. Individual student assignments and coursework associated with Canvas integrations are permitted; administrative student records not related to classroom activities including full grade rosters should be stored in locations approved for institutional data such as the Microsoft Secure Storage and Google Secure Storage environments. For more, see Request institutional storage in Microsoft shared storage.
    3. This is classified as University-internal with some Restricted for approved use cases (individual student assignments and coursework associated with Canvas integrations). Given the potential for data loss in individual OneDrive accounts when employees leave the university, administrative student records not related to classroom activities including full grade rosters should be stored in locations approved for institutional data such as the Microsoft Secure Storage and Google Secure Storage environments. For more, see Request institutional storage in Microsoft shared storage.
    4. Devices must be secured according to IU's Mobile Device Security Standard (IT-12.1); contact your IT Pro for help determining whether your device is secure.

  • Microsoft at IU Secure Storage:
    1. Examples of appropriate data include but are not limited to grades, employee home addresses, and personally identifiable information (PII) for research participants.
    2. IU faculty and staff can request Microsoft Secure Storage by submitting the Institutional storage request form and selecting restricted or critical data classification.
    3. With the exception of credit card, payment card industry (PCI), and export-controlled research data, controlled unclassified information, and advancement data, such as donor gift agreements, wealth information, and detailed giving information.
    4. Devices must be secured according to IU's Mobile Device Security Standard (IT-12.1); contact your IT Pro for help determining whether your device is secure.

  • OnBase:
    1. Use of OnBase for storage of PHI must be approved by the OnBase team and may require approval from the IU HIPAA Compliance Office.
    2. The maximum file size depends on the client you are using. Only the OnBase Thick client can handle files of sizes up to 2 GB (although this is the maximum file size OnBase can handle, UITS recommends keeping file sizes below 100 MB). The OnBase Web Client, the Unity ClickOnce and desktop clients, and Unity via IUanyWare can handle files of sizes up to 30 MB. If you have questions, submit an OnBase Support Request.
    3. OnBase is capable of storing documents indefinitely; however, UITS recommends following university retention schedules.
  • SDA:
    1. Files containing PHI must be encrypted when they are stored (at rest) and when they are transferred between networked systems (in transit). To ensure that files containing PHI are encrypted when they are stored, encrypt them before transferring them to storage. To ensure that files containing PHI remain encrypted during transit, use SFTP/SCP or the IU Globus Web App. For more, see Recommended tools for encrypting data containing HIPAA-regulated PHI.

    2. On October 6, 2019, UITS Research Technologies implemented a file quota to limit the number of files users can store in their Scholarly Data Archive accounts. The file quota for new accounts is 25,000 files.

    3. Due to the mammoth volume of data stored on the Scholarly Data Archive, backups are neither practical nor economical. The SDA doesn't have an offline, traditional backup system, so any deletion you perform will cause an irreversible loss of data. Although files are not backed up, two tape copies are saved by default (one at IU Bloomington; another at IUPUI) and are never purged by administrators. If you have questions or need help, email the UITS Research Storage team (store-admin@iu.edu).
    4. When in support of research activities, extensions beyond 50 TB may be granted for a nominal charge; for help, email the UITS Research Storage team (store-admin@iu.edu).
  • Secure Share:
    1. Secure Share files are purged 30 days after you upload them. If you have a question or need help, contact your campus Support Center.
  • Slate:
    1. This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

      If you have questions about managing HIPAA-regulated data at IU, email securemyresearch@iu.edu.

    2. The default quota allotment is 800 GB per user. Upon request, your quota may be increased to a maximum of 1.6 TB. To request more space on Slate, contact the UITS High Performance File Systems (HPFS) group using the Research Technologies contact form (from the "Choose an area to direct your question to" drop-down, select High performance storage). Additionally, an inode quota (sometimes called "file quota") limits the number of objects a single user can create to 6.4 million.

  • Slate-Project:
    1. This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

      If you have questions about managing HIPAA-regulated data at IU, email securemyresearch@iu.edu.

    2. Requests for fewer than 15 TB are granted at no cost; allocations of 15 TB or more are billed at $5.12 TB per month (an IU departmental account is required).
  • Slate-Scratch:
    1. This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

      If you have questions about managing HIPAA-regulated data at IU, email securemyresearch@iu.edu.

    2. Each IU research supercomputer user is allowed to store up to 100 TB of data on Slate-Scratch. An inode quota limits the number of files and directories a single user can create to 10 million.

    3. Space on Slate-Scratch is not intended for permanent storage. Files in scratch space will be purged if they have not been accessed for more than 30 days. Users are responsible for archiving their data. To archive scratch space data, move files to the Scholarly Data Archive (SDA); see Access the SDA at IU.

      Users should move their computational results off of the Slate-Scratch file system as soon as possible to avoid data loss, incorporating data movement into their job submission scripts when possible.

    4. Files on Slate-Scratch are not backed up. Users are responsible for backing up their data. Users should move their computational results off of the Slate-Scratch file system as soon as possible to avoid data loss, incorporating data movement into their job submission scripts when possible.
  • TechSelect:
    1. For the most current pricing information, go to Rates for UITS services, click to open the current-year "Rates for Direct-bill Services" document for your campus, and then browse that document to find information about "UITS TechSelect Client Support - A La Carte Services".
  • Adobe Creative Cloud:
    1. Via the Creative Cloud website, you can upload files up to 1 GB. Via the Creative Cloud desktop application, you can upload files up to 5 GB.
    2. Additional storage cannot be purchased.
  • Adobe Document Cloud:
    1. Additional storage cannot be purchased.
  • AVL:
    1. This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

      If you have questions about managing HIPAA-regulated data at IU, email securemyresearch@iu.edu.

    2. Access to all visualization systems is physical (you must be in the room with the device to use it). Currently, no remote access or virtual desktop support is available. To request physical access to visualization devices, contact the AVL. An AVL staff member will meet with you to discuss your project and proposed usage scenario. Once your proposed use is approved, AVL staff will provide an orientation and training to get you started using the system. Most visualization systems have 24/7 access via keycards.
    3. All visualization systems have local storage areas, but they are not backed up and are purged regularly. Before each working session, you must import all data and program files from a long-term storage medium, and transfer them back to long-term storage when you're finished. All visualization systems have USB support and are connected to the IU network, so you can use long-term storage media, such as USB (flash or magnetic) drives, and network-enabled storage services, such as the Scholarly Data Archive. If you have questions, contact the AVL.
  • Exchange:
    1. Do not send or receive Critical or Restricted data via email unless it is required by your role within the university. Instead of email, use Secure Share to share any Restricted or Critical data. If you are sharing personally identifiable information (PII) classified as University-Internal data (for example, names, University IDs, student addresses, etc.) via Exchange mail, best practice is to limit the data set to 100 or fewer individuals; to share larger data sets, use Secure Share. If you are unsure whether email is appropriate for a particular situation, consult with the appropriate Data Stewards and the UIPO. Always force encryption for messages that contain Restricted or Critical data. This is especially important since any recipient may forward messages you send or have IU email configured to automatically forward all messages to an outside email account. IU mail servers use Office Message Encryption (OME) to encrypt messages sent to external recipients. For more, see About confidential information in email.

  • FireForm:
    1. This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

      If you have questions about managing HIPAA-regulated data at IU, email securemyresearch@iu.edu.

  • Google Chat:
    1. All files shared from Google at IU My Drive are available to users in the room or group chat at the comment level within Google My Drive. A copy of the native document is kept in the initiating user's Google My Drive account. Files shared from Google My Drive will adhere to DLP rules as configured within Google My Drive (for example, if a rule blocking SSN is in place, then any native file that matches the SSN DLP rule would be blocked in chat). Google My Drive files shared in multiple domains (for example, IU and Michigan) will prompt users at the time of the share that permissions will change if the file is shared, and that a copy of the document/file will be made available in the other domain's user account or in the user's IU account.
  • Intelligent Infrastructure:
    1. You can use storage on virtual machines as raw space or for file storage within an operating system. For service details, see Intelligent Infrastructure.
    2. You can purchase data protection services on a gigabyte-per-year basis and additional storage capacity on a per-gigabyte basis.
    3. For the most current pricing information, go to Rates for UITS services, click to open the current-year "Rates for Direct-bill Services" document for your campus, and then browse that document to find information about "Intelligent Infrastructure Services". If you have a question or need help, email UITS Storage and Virtualization at sav-request@iu.edu.
  • Kaltura:
    1. This service is not designed for long term storage of Restricted data. Users must ensure that appropriate access restrictions are in place before sharing any data in this application. If you have questions about what Restricted data is appropriate, email iudata@iu.edu.
  • Microsoft Teams Chat:
    1. This service is not designed for long term storage of Restricted data. Users must ensure that appropriate access restrictions are in place before sharing any data in this application. If you have questions about what Restricted data is appropriate, email iudata@iu.edu.
    2. This tool should not be used for long-term storage of Restricted or Critical institutional data. For long-term storage of Restricted or Critical data, use Microsoft at IU Secure Storage.
  • REDCap:
    1. This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

      If you have questions about managing HIPAA-regulated data at IU, email securemyresearch@iu.edu.

    2. This service has been approved for research use cases involving PHI and FERPA data, provided that the data usage has been granted IRB approval and the necessary access restrictions are applied to comply with HIPAA and FERPA. If you have a research use case involving Restricted student data, consult with the Student Data Steward (datastu@iu.edu) before using this platform.
    3. IU's implementation of REDCap provides secure web-based tools for building and managing online surveys and databases. Although IU REDCap stores survey response records that may contain PHI, it is not a data storage solution; therefore, accounts do not have default allotments. If you have questions, email IU REDCap Support at redcap@iu.edu.
  • IU research supercomputers:
    1. On IU's research supercomputers (excluding Big Red 200, which is undergoing review), home directory and local scratch space meets certain requirements in the HIPAA Security Rule that enable their use with research data containing PHI; however, simply storing research data containing PHI on a UITS Research Technologies research supercomputer is not enough to fulfill your responsibilities for protecting the privacy and security of that PHI. Before storing PHI on an IU research supercomputer, make sure you understand the information in the Important considerations regarding PHI section of this document. If you have questions about managing HIPAA-regulated data at IU, email securemyresearch@iu.edu.
    2. On IU's research supercomputers (excluding Big Red 200, which is undergoing review), home directory and local scratch space is appropriate for use with institutional data classified as Restricted.
    3. Home directories on IU's research supercomputers are hosted on Geode. Upon creating an account on any of IU's research supercomputers, you are allotted 100 GB of home directory storage on Geode with a maximum file limit of 800,000 files. If you create additional accounts on other research supercomputers, your data and file quotas are shared among those accounts. Data and file quotas are not enforced on local scratch directories; the amount of local scratch space varies by system.
    4. Maximum file sizes: Home directories (10 GB); local scratch directories (varies by system)
    5. Purge policies for local scratch space varies by system; see Available access to allocated and short-term storage capacity on IU's research systems.
  • SharePoint Online:
    1. UITS recommends using Microsoft at IU Secure Storage for storage of Critical data unless you need to use specific SharePoint Online add-ons and are working with an IT Pro to help maintain user permissions.
    2. Devices must be secured according to IU's Mobile Device Security Standard (IT-12.1); contact your IT Pro for help determining whether your device is secure.

  • Sitehost:
    1. For the most current pricing information, go to Rates for UITS services, click to open the current-year "Rates for Direct-bill Services" document for your campus, and then browse that document to find information about "Intelligent Infrastructure Services". If you have a question or need help, email UITS Storage and Virtualization at sav-request@iu.edu.
  • Windows Hosting Environment:
    1. Extra resources (storage) are billed at the Intelligent Infrastructure rate; for the most current pricing information, go to Rates for UITS services, click to open the current-year "Rates for Direct-bill Services" document for your campus, and then browse that document to find information about "Intelligent Infrastructure Services".

Further reading

For more about working with sensitive institutional data at IU, see IU's Critical Data Guide.

Additionally, see:

This is document bduo in the Knowledge Base.
Last modified on 2024-03-08 11:32:30.