About form builder services appropriate for sensitive institutional data, including research data containing protected health information

At Indiana University, UITS provides students, faculty, and staff with a variety of form builder services (OnBase, Qualtrics, etc). Some of these services are suitable for collecting, transmitting and storing sensitive institutional data, and some are not. Additionally, some services are baseline IT services (requiring no additional user fees), and some are fee-based services billed directly to the end user (an IU department or school).

Following is information to help you understand your legal responsibilities when working with institutional data at IU and identify which UITS services are appropriate for collecting, transmitting and storing various types of institutional data. When working with sensitive institutional data, particularly data that contain protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you must make sure the IT services you're using meet the strict data management standards required to protect the security and privacy of your data.

On this page:


Classifications and management standards for institutional data at IU

Protecting the privacy and security of digital information is a leading concern for information technology users and providers alike. Federal and state laws regulate how institutions, such as businesses, hospitals, and universities, manage the data they collect from the individuals they serve. Federal agencies have funding policies that include stringent requirements for securely managing research data collected from human subjects. Certain types of data, including financial, legal, academic, and health care data, are considered sensitive because misusing them can lead to identity theft, personal financial loss, invasion of privacy, or other forms of unauthorized access.

At IU, official classification levels for institutional data are defined in the university's Management of Institutional Data (DM-01) policy. Sensitive institutional data elements are classified as Restricted or Critical, and are protected by federal and state laws, and by IU policy.

IU's official data management standards cover all classifications of institutional data, but especially stringent standards apply to work that involves institutional data classified as Restricted or Critical. These standards include rules for managing access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing all types of institutional data elements (not just those that are considered sensitive) and sharing institutional data with third parties.

These standards apply to all users and administrators of IU information technology resources. Every individual who works with sensitive institutional data at IU is responsible for knowing and adhering to IU's official data management standards to help prevent inappropriate disclosures of personal or confidential information that, according to federal and state laws, can result in criminal or civil penalties.

For more, see:

If you have questions about the classifications of institutional data, contact the appropriate Data Steward.

To determine the approved storage options based on the type of data, use the Data Sharing and Handling (DSH) tool. The Data Sharing and Handling tool is intended to provide specific guidance on where to store institutional data, and general guidance on sharing, disposal and classification of institutional data.

Important considerations regarding protected health information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

Anyone working with data containing PHI at IU is legally responsible for protecting the privacy and security of that data in compliance with all applicable federal and state regulations (and university policies). UITS provides several systems and services that meet certain requirements established in the HIPAA Security Rule thereby enabling their use for work involving data that contain protected health information (PHI). However, using a UITS resource does not fulfill your legal responsibilities for protecting the privacy and security of data containing PHI. You may use certain UITS resources (as indicated in the Dedicated Form Builder Services table below) for work involving data containing PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

UITS provides consulting and online help for Indiana University researchers, faculty, and staff who need help securely processing, storing, and sharing data containing protected health information (PHI). If you have questions about managing HIPAA-regulated data at IU, contact UITS HIPAA Consulting. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. For additional details about HIPAA compliance at IU, see HIPAA Privacy & Security on the University Compliance website.

Note:
In accordance with standards for access control mandated by the HIPAA Security Rule, you are not permitted to access data containing protected health information (PHI) using a group (or departmental) account. To ensure accountability and maintain appropriate levels of access control, all users must use an individual login for all work involving PHI.

Choose an appropriate form builder solution

UITS offers several services appropriate for collecting, transmitting and storing institutional data elements of various classifications. Use the tables below to compare key attributes of dedicated form builder solutions available at IU, so you can determine which services suit your needs. If you need help determining the most sensitive classification of institutional data you can store on any given UITS service, contact the University Information Policy Office (UIPO), or use the Data Storage and Handling tool (IU login required).

Note:

According to IU's Cyber Risk Mitigation Responsibilities (IT-28) policy, all IU units must deploy and use IT systems and services in ways that vigilantly mitigate cyber risks (cybersecurity risks, security risks to physical systems, and risks arising from natural disasters or potential infrastructure failures), and recommends that all IU units use, to the greatest extent practicable, the secure facilities, common IT infrastructure, and enterprise services provided by UITS. For more, see:

Approved for Critical data (including PHI)

The following services are approved for Critical data (including PHI):

Service Service owner contact Cost Developer or specific expertise required Workflow capability Accessible forms 1 Responsive forms Reporting capability CAS integration available Public access Notifications Cloud hosted
OnBase
Unity Forms
 2
obreq@iu.edu No charge
(baseline service)
OnBase configuration knowledge required 3 Yes Yes
(with proper configuration)
Yes Yes Yes
(VPN required)
No Yes No
OnBase
E-Forms
 2
obreq@iu.edu No charge
(baseline service)
OnBase configuration and HTML knowledge required 3 Yes Yes
(with proper coding)
Code dependent Yes Yes
(VPN required)
No Yes No
Qualtrics elearn@iu.edu $100 per year
(limited) 4
$750 per year
(single user unlimited)
$4,000 per year
(division license)
No Yes Yes
(for most form elements)
Yes Yes Yes 5 Yes Yes Yes

Approved for Restricted data

The following services are approved for Restricted data only (not approved for Critical data or PHI):

Service Service owner contact Cost Developer or specific expertise required Workflow capability Accessible forms 1 Responsive forms Reporting capability CAS integration available Public access Notifications Cloud hosted
Form Assembly w/Salesforce BL-UITS-CRM-Dev-Team@exchange.iu.edu $500 per seat 6 No
(but recommended)
No Mostly
(a few issues)
Yes
(if form is built properly)
Yes
(via Salesforce)
Yes Yes Yes Yes
Google Forms elearn@iu.edu No cost
(part of Google at IU)
No No No Yes Yes
(only to Google Sheets)
Yes Yes Yes
(only via
Google Sheet
notification)
Yes
K2 7 Office@iu.edu No charge
(baseline service)
Yes Yes Yes
(with proper coding)
Yes
(with proper coding)
Yes Yes No Yes Yes
MachForm 8 Departmental solution
(work with vendor)
$249 per year No Yes No
(at least not out of the box)  9
No
(at least not out of the box) 9
Yes Yes Yes Yes No
SharePoint Office@iu.edu No charge
(baseline service)
No
(but recommended)
Yes
(but basic)
Yes
(with proper coding)
Yes Yes
(via export)
Yes No Yes No

Approved for University-internal data

The following services are approved for University-internal data only:

Service Service owner contact Cost Developer or specific expertise required Workflow capability Accessible forms 1 Responsive forms Reporting capability CAS integration available Public access Notifications Cloud hosted
Microsoft Forms 10 Office@iu.edu No charge
(baseline service)
No Yes Yes Yes Yes Yes No Yes
(if using Microsoft Flow)
Yes

Approved for Public data

The following service is approved for Public data only:

Service Service owner contact Cost Developer or specific expertise required Workflow capability Accessible forms 1 Responsive forms Reporting capability CAS integration available Public access Notifications Cloud hosted
Formstack Departmental solution
(work with vendor)
$2,988 per year  11 No Yes Yes Yes Yes Yes Yes Yes Yes

Notes

The following notes are referenced in the tables above:

  1. Accessibility classifications are currently under review by the IU User Experience Office (UXO). If you have accessibility questions regarding your forms, contact the UXO.
  2. Use of OnBase for storage of PHI must be approved by the OnBase team and may require approval from the IU HIPAA Compliance Office. Forms may require additional review.
  3. You must have an OnBase structure built by the Enterprise Document Management (EDM) team.
  4. The Limited license provides a maximum of three active forms at any one time.
  5. Although Qualtrics features native support for CAS authentication, IU's CAS implementation requires that external hosts such as Qualtrics connect via its Shibboleth gateway; for instructions, see Configure your Qualtrics survey to use CAS at IU.
  6. Form Assembly license costs decrease as group numbers increase.
  7. K2 is a third-party tool used with SharePoint Online.
  8. When processing Restricted or University Internal data, transmitting MachForm data via email should be avoided if possible. For situations that require it (such as storing in OnBase), email transmissions of MachForm data containing Restricted or University Internal data must either be encrypted or remain within the IU Exchange mail system; for details, About confidential information in email. If email transmissions of MachForm data do not meet these requirements, the use of Restricted or University Internal data is not allowed.
  9. IU Communications offers a customized platform for MachForm that supports the creation of accessible forms; special consideration is required to ensure an accessible and responsive solution using MachForm.
  10. Office 365 forms are stored in SharePoint Online within Office 365. Only an Office 365 account is required.
  11. $2,988 per year is the rate for a Platinum membership, which permits 10 users, 100,000 submissions, 10 GB of storage, and 1,000 forms.

This is document arkj in the Knowledge Base.
Last modified on 2019-01-21 16:40:39.

Contact us

For help or to comment, email the UITS Support Center.