ARCHIVED: About IU's HIPAA-capable research cyberinfrastructure
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards for maintaining the confidentiality, integrity, and availability of protected health information (PHI), requiring organizations and individuals to implement a series of administrative, physical, and technical safeguards when working with PHI.
At Indiana University, the Research Technologies division of UITS provides several information technology systems and services that meet certain requirements established by the HIPAA Security Rule. IU researchers may use UITS HIPAA-capable services for work involving data protected under HIPAA, including ePHI, only if they institute additional physical, administrative, and technical safeguards that complement those UITS already has in place.
All IU units (and the individuals associated with them) are responsible for protecting the privacy and security of ePHI data elements with which they work. You are responsible for complying with all applicable federal and state regulations, and institutional policies governing work with HIPAA-regulated research data. This includes implementing HIPAA-required administrative, physical, and technical safeguards with regard to any person, process, application, service, or system used to collect, process, manage, analyze, or store HIPAA-regulated research data.
The use of a UITS HIPAA-capable resource does not fulfill your responsibilities for protecting the privacy and security of the HIPAA-regulated data you collect, manage, process, analyze, or store in conjunction with your research. Furthermore, any software (including operating systems) or service you deploy or administer on a UITS HIPAA-capable resource is not automatically HIPAA-capable. For example, although you are permitted to store ePHI research data on an IU Intelligent Infrastructure (II) virtual machine (VM), if you choose to manage the VM yourself you are responsible for securing not only the operating system, applications, and services running on the VM, but also the network and devices used to access the ePHI data stored on the VM.
For a list of UITS HIPAA-capable systems and services, see What systems and services does UITS Research Technologies provide for researchers working with data containing HIPAA-regulated PHI? For an outline of your responsibilities and required safeguards when using UITS HIPAA-capable resources for research involving HIPAA-regulated data elements, see When using UITS Research Technologies systems and services, what are my legal responsibilities for protecting the privacy and security of data containing protected health information?
The UITS Advanced Biomedical IT Core provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing data containing PHI. If you need help or have questions about managing HIPAA-regulated data at IU, contact the ABITC. For additional details about HIPAA compliance at IU, see HIPAA & ABITC and the Office of Vice President and General Counsel (OVPGC) HIPAA Privacy & Security page.
This is document ayzg in the Knowledge Base.
Last modified on 2015-05-12.
- Fill out this form to submit your issue to the UITS Support Center.
- Please note that you must be affiliated with Indiana University to receive support.
- All fields are required.