ARCHIVED: About IU's HIPAA-capable research cyberinfrastructure
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).
At Indiana University, the Research Technologies division of UITS provides several information technology systems and services that meet certain requirements established by the HIPAA Security Rule. IU researchers may use UITS HIPAA-capable services for work involving data protected under HIPAA, including ePHI, only if they institute additional physical, administrative, and technical safeguards that complement those UITS already has in place.
All IU units (and the individuals associated with them) are responsible for protecting the privacy and security of ePHI data elements with which they work. You are responsible for complying with all applicable federal and state regulations, and institutional policies governing work with HIPAA-regulated research data. This includes implementing HIPAA-required administrative, physical, and technical safeguards with regard to any person, process, application, service, or system used to collect, process, manage, analyze, or store HIPAA-regulated research data.
The use of a UITS HIPAA-capable resource does not fulfill your responsibilities for protecting the privacy and security of the HIPAA-regulated data you collect, manage, process, analyze, or store in conjunction with your research. Furthermore, any software (including operating systems) or service you deploy or administer on a UITS HIPAA-capable resource is not automatically HIPAA-capable. For example, although you are permitted to store ePHI research data on an IU Intelligent Infrastructure (II) virtual machine (VM), if you choose to manage the VM yourself you are responsible for securing not only the operating system, applications, and services running on the VM, but also the network and devices used to access the ePHI data stored on the VM.
For a list of UITS HIPAA-capable systems and services, see UITS Research Technologies systems and services for researchers working with data containing HIPAA-regulated PHI For an outline of your responsibilities and required safeguards when using UITS HIPAA-capable resources for research involving HIPAA-regulated data elements, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services
This is document ayzg in the Knowledge Base.
Last modified on 2023-02-02 12:40:22.