About form builder services appropriate for sensitive institutional data, including research data containing protected health information

On this page:


Overview

At Indiana University, UITS provides students, faculty, and staff with a variety of form builder services (OnBase, Qualtrics, etc). Some of these services are suitable for collecting, transmitting and storing sensitive institutional data, and some are not. Additionally, some services are baseline IT services (requiring no additional user fees), and some are fee-based services billed directly to the end user (an IU department or school).

This information is to help you understand your legal responsibilities when working with institutional data at IU and identify which UITS services are appropriate for collecting, transmitting and storing various types of institutional data. When working with sensitive institutional data, particularly data that contain protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you must make sure the IT services you're using meet the strict data management standards required to protect the security and privacy of your data.

Classifications and management standards for institutional data at IU

Protecting the privacy and security of digital information is a leading concern for information technology users and providers alike. Federal and state laws regulate how institutions, such as businesses, hospitals, and universities, manage the data they collect from the individuals they serve. Federal agencies have funding policies that include stringent requirements for securely managing research data collected from human subjects. Certain types of data, including financial, legal, academic, and health care data, are considered sensitive because misusing them can lead to identity theft, personal financial loss, invasion of privacy, or other forms of unauthorized access.

At Indiana University, official Classification levels of institutional data are defined in Management of Institutional Data (DM-01). Sensitive institutional data elements are classified as Restricted or Critical, and are protected by federal and state laws, and by IU policy.

IU's official data management standards cover all classifications of institutional data, but especially stringent standards apply to work that involves institutional data classified as Restricted or Critical. These standards include rules for managing access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing all types of institutional data elements (not just those that are considered sensitive) and sharing institutional data with third parties (see Disclosing Institutional Information to Third Parties (DM-02)).

These standards apply to all users and administrators of IU information technology resources. Every individual who works with sensitive institutional data at IU is responsible for knowing and adhering to IU's official data management standards to help prevent inappropriate disclosures of personal or confidential information that, according to federal and state laws, can result in criminal or civil penalties.

For more, see:

If you have questions about the classifications of institutional data, contact the appropriate Data Steward .

To determine the approved storage options based on the type of data, use the Data Sharing and Handling (DSH) tool, which provides specific guidance on where to store institutional data, and general guidance on sharing, disposal and classification of institutional data.

Important considerations regarding protected health information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

Anyone working with data containing PHI at IU is legally responsible for protecting the privacy and security of that data in compliance with all applicable federal and state regulations (and university policies). UITS provides several systems and services that meet certain requirements established in the HIPAA Security Rule thereby enabling their use for work involving data that contain protected health information (PHI). However, using a UITS resource does not fulfill your legal responsibilities for protecting the privacy and security of data containing PHI. You may use certain UITS resources (as indicated in the Dedicated Form Builder Services table below) for work involving data containing PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

If you have questions about securing HIPAA-regulated research data at IU, email securemyresearch@iu.edu. SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data; for more, see About SecureMyResearch. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.

Note:
In accordance with standards for access control mandated by the HIPAA Security Rule, you are not permitted to access data containing protected health information (PHI) using a group (or departmental) account. To ensure accountability and maintain appropriate levels of access control, all users must use an individual login for all work involving PHI.

Choose an appropriate form builder solution

UITS offers several services appropriate for collecting, transmitting and storing institutional data elements of various classifications. Use the tables below to compare key attributes of dedicated form builder solutions available at IU, so you can determine which services suit your needs. If you need help determining the most sensitive classification of institutional data you can store on any given UITS service, contact the University Information Policy Office (UIPO), or use the Data Sharing and Handling (DSH) tool.

Note:

According to Cyber Risk Mitigation Responsibilities (IT-28), all IU units must deploy and use IT systems and services in ways that vigilantly mitigate cyber risks (cybersecurity risks, security risks to physical systems, and risks arising from natural disasters or potential infrastructure failures), and recommends that all IU units use, to the greatest extent practicable, the secure facilities, common IT infrastructure, and enterprise services provided by UITS. For more, see:

Approved for Critical data (including PHI)

The following services are approved for Critical data (including PHI):

Service Service owner contact Fee Developer or specific expertise required Workflow capability Accessible forms 1 Responsive forms Reporting capability IU Login integration available Public access Notifications Cloud hosted
FireForm FireForm Support Request No fee
(baseline service)
No Yes Yes Yes Yes Yes Yes Yes No
OnBase
Unity Forms
 1
OnBase Support Request No fee
(baseline service)
OnBase configuration knowledge required 2 Yes Yes
(with proper configuration)
Yes Yes Yes No Yes No
OnBase
E-Forms
 1
OnBase Support Request No fee
(baseline service)
OnBase configuration and HTML knowledge required 2 Yes Yes
(with proper coding)
Code dependent Yes Yes No Yes No
Qualtrics elearn@iu.edu No fee
(baseline service)
No Yes Yes
(for most form elements)
Yes Yes Yes 1 Yes Yes Yes

Approved for Restricted data

The following services are approved for Restricted data (not approved for Critical data or PHI):

Service Service owner contact Fee Developer or specific expertise required Workflow capability Accessible forms 1 Responsive forms Reporting capability IU Login integration available Public access Notifications Cloud hosted
Form Assembly w/Salesforce BL-UITS-CRM-Dev-Team@exchange.iu.edu $500 per seat 1 No
(but recommended)
No Mostly
(a few issues)
Yes
(if form is built properly)
Yes
(via Salesforce)
Yes Yes Yes Yes
Google Forms elearn@iu.edu No fee
(part of Google at IU)
No No No Yes Yes
(only to Google Sheets)
Yes Yes Yes
(only via
Google Sheets
notification)
Yes
MachForm 1 Departmental solution
(work with vendor)
$249 per year No Yes No
(at least not out of the box)  2
No
(at least not out of the box) 3
Yes Yes Yes Yes No
SharePoint Office@iu.edu No fee
(baseline service)
No
(but recommended)
Yes
(but basic)
Yes
(with proper coding)
Yes Yes
(via export)
Yes No Yes No

Approved for University-Internal data

The following services are approved for University-Internal data only:

Service Service owner contact Fee Developer or specific expertise required Workflow capability Accessible forms 1 Responsive forms Reporting capability IU Login integration available Public access Notifications Cloud hosted
Microsoft Forms 1 Office@iu.edu No fee
(baseline service)
No Yes Yes Yes Yes Yes No Yes
(if using Microsoft Power Automate)
Yes

Approved for Public data

The following service is approved for Public data only:

Service Service owner contact Fee Developer or specific expertise required Workflow capability Accessible forms 1 Responsive forms Reporting capability IU Login integration available Public access Notifications Cloud hosted
Formstack Departmental solution
(work with vendor)
$2,988 per year  1 No Yes Yes Yes Yes Yes Yes Yes Yes

Notes

The following notes are referenced in the tables above.

Accessible forms: Accessibility classifications are currently under review by the IU User Experience Office (UXO). If you have accessibility questions regarding your forms, contact the UXO.

OnBase service: Use of OnBase for storage of PHI must be approved by the OnBase team and may require approval from the IU HIPAA Compliance Office. Forms may require additional review.

OnBase expertise: You must have an OnBase structure built by the Enterprise Business Process Solutions (EBPS) team.

Qualtrics IU Login integration: Although Qualtrics features native support for the CAS protocol, IU's implementation requires that external hosts such as Qualtrics connect via its SAML gateway; for instructions, see Configure your Qualtrics survey to use IU Login.

Form Assembly fee: Form Assembly license fees decrease as group numbers increase.

MachForm service: When processing Restricted or University Internal data, transmitting MachForm data via email should be avoided if possible. For situations that require it (such as storing in OnBase), email transmissions of MachForm data containing Restricted or University Internal data must either be encrypted or remain within the IU Exchange mail system; for details, About confidential information in email. If email transmissions of MachForm data do not meet these requirements, the use of Restricted or University Internal data is not allowed.

MachForm accessible/responsive forms: IU Studios offers a customized platform for MachForm that supports the creation of accessible forms; special consideration is required to ensure an accessible and responsive solution using MachForm.

Microsoft Forms: Forms are stored in Microsoft OneDrive at IU. Only a Microsoft 365 (formerly Office 365) account is required.

Formstack fee: $2,988 per year is the rate for a Platinum membership, which permits 10 users, 100,000 submissions, 10 GB of storage, and 1,000 forms.

This is document arkj in the Knowledge Base.
Last modified on 2021-10-18 13:33:25.