Shared responsibility model for securing PHI on UITS systems

At Indiana University, securing protected health information (PHI) is a shared responsibility. While UITS provides systems and services with certain safeguards in place to make HIPAA compliance easier for researchers, their use is not sufficient in and of itself to ensure that IU, as a covered entity, is HIPAA compliant. Compliance is achieved only when UITS, the researcher, the researcher's department, and the researcher's project team members all do their due diligence to ensure end-to-end security.

Use the tables below as guides on the division of responsibility when using a UITS system approved for PHI. If you need further help or have questions, refer to the Get help section.

On this page:


HIPAA compliance plans

HIPAA requirement UITS responsibilities Department responsibilities PI responsibilities Research group member responsibilities
A documented HIPAA compliance plan, including policies and procedures

UITS has a mature HIPAA compliance plan, including policies and procedures that closely follows the IU HIPAA compliance plan. The UITS HIPAA program is administered by the IU Center for Applied Cybersecurity Research (CACR).

HIPAA compliance plans:

A documented, department-level HIPAA compliance plan, including departmental policies and procedures

Understand and follow IU's:

The IU HIPAA Privacy and Security Officers (hipaa@iu.edu) can help with department-level planning.

A project-level HIPAA compliance plan describing policies and procedures the PI has implemented to protect PHI Follow the project-level HIPAA compliance plan.
Ongoing risk management and reviews UITS systems approved for PHI undergo documented annual review and risk assessments throughout their lifecycles. Annual review of the department-level HIPAA obligations by department head, HIPAA liaison, or IT Pro in compliance with IU HIPAA policies and procedures and guidance provided by the IU HIPAA Privacy and Security Officers Annual review of the project-level HIPAA compliance plan and, as appropriate, for significant changes in workflow and system use

Administrative safeguards

HIPAA requirement UITS responsibilities Department responsibilities PI responsibilities Research group member responsibilities
Documented administrative safeguards

UITS has in place documented administrative safeguards that apply to UITS and its workforce. Examples include contingency planning, HR procedures, and security incident response procedures.

A UITS system is approved for PHI only after it undergoes a rigorous risk-management process that is subject to review by the IU HIPAA Privacy and Security Officers, the University Information Security Office, and the IU Internal Audit.

UITS leverages the NIST Risk Management Framework (RMF) to manage cybersecurity risk to PHI.

Identify, implement, and document appropriate administrative safeguards that apply to the department and its Workforce. Examples include on-boarding and off-boarding process, contingency planning, and security incident response procedures.

Consult HIPAA procedure HIPAA-SPR01 to ensure that the required administrative safeguards are implemented.

Implement and document project-level administrative safeguards (managing access to PHI). For example, a routine review of access to PHI and de-provisioning of access when staff depart the unit, or when need-to-know changes.

Follow department-level administrative safeguards.

Follow project- and department-level administrative safeguards.
Awareness and training

UITS staff who maintain systems with PHI are required to take IU HIPAA training and UITS-specific HIPAA training. All training is tracked and reported annually to the IU HIPAA Privacy Officer.

UITS has staff awareness measures, including internal phishing campaigns, UISO, CERT, and vendor alerts.

UITS provides user awareness and training via the Knowledge Base, YouTube, IT Training and Education, campus events, and one-on-one engagements.

Communicate HIPAA training requirements to the department. Track and report the unit's HIPAA training annually to the IU HIPAA Privacy Officer.

Provide user training on how to use departmental resources (workstations) safely for PHI.

Raise security awareness through alerts and other means.

Ensure all group members take annual HIPAA, system-specific, and department-level trainings. Take annual HIPAA, system-specific, and department-level trainings.

Physical safeguards

HIPAA requirement UITS responsibilities Unit responsibilities PI responsibilities Research group member responsibilities
Documented physical safeguards UITS has implemented and documented specific physical safeguards that apply to UITS Data Centers, facilities, and workstations. Examples include multi-layered physical access control, such as locked doors and biometric authentication, surveillance cameras, environmental controls, backup power, and media sanitization before reuse and disposal.

Implement and document specific physical safeguards that apply to department workstations and facilities, as well as to physical media that store PHI. Examples include locked doors, media sanitization before reuse and disposal, locking hard copies of reports, securing media (CDs, DVDs, USB drives) when not in use, and shredding documents.

Consult HIPAA procedure HIPAA-SPR01 to ensure that the required physical safeguards are implemented.

Implement and document physical safeguards within the research environment. Ensure physical safeguards.

Technical safeguards

HIPAA requirement UITS responsibilities Unit responsibilities PI responsibilities Research group member responsibilities
Documented technical safeguards UITS has implemented and documented technical safeguards for UITS systems and infrastructure. Examples include logical access control, automatic log-off, logging, log review, encryption, and vulnerability scans.

Implement and document specific technical safeguards that apply to department-level services, hardware, and infrastructure. Examples include using central systems and services approved for PHI, application whitelisting, logging, encrypting data at rest and in transit, and automatic log-off or lock-out of workstations after 15 minutes.

Help the PI implement technical safeguards.

Consult HIPAA procedure HIPAA-SPR01 to ensure that the required technical safeguards are implemented.

Implement and document specific technical safeguards that apply to the research project. Examples include ensuring mobile device security and implementing file level encryption on files containing PHI. Ensure technical safeguards are implemented.

Organizational requirements

HIPAA requirement UITS responsibilities Department responsibilities PI responsibilities Research group member responsibilities
Business Associate Agreements UITS uses an external vendor system or service (cloud) for PHI only after a proper HIPAA risk assessment is completed and the vendor has signed a HIPAA Business Associate Agreement (BAA) with IU.

Complete the IU Software and Services Selection Process (SSSP) review and third-party assessment required under IU's Disclosing Institutional Information to Third Parties (DM-02) policy. Work with the IU HIPAA Privacy Officer (hipaa@iu.edu) to ensure a HIPAA BAA is in place before using an external vendor for PHI.

Provide BAA awareness to the researchers.

Confirm (with the unit's HIPAA liaison or IT Pro) that a HIPAA BAA is in place before using an external vendor or service involving PHI.

Train group members.

Ensure that IU has a BAA is in place before using an external vendor or service involving PHI.

Get help

UITS provides consulting and online help for Indiana University researchers, faculty, and staff who need help securely processing, storing, and sharing data containing protected health information (PHI). If you have questions about managing HIPAA-regulated data at IU, contact UITS HIPAA Consulting. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. For additional details about HIPAA compliance at IU, see HIPAA Privacy & Security on the University Compliance website.

This is document aqqk in the Knowledge Base.
Last modified on 2019-01-11 11:52:53.

Contact us

For help or to comment, email the UITS Support Center.