ARCHIVED: About IU's HIPAA-capable research cyberinfrastructure

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

At Indiana University, the Research Technologies division of UITS provides several information technology systems and services that meet certain requirements established by the HIPAA Security Rule. IU researchers may use UITS HIPAA-capable services for work involving data protected under HIPAA, including ePHI, only if they institute additional physical, administrative, and technical safeguards that complement those UITS already has in place.

HIPAA-regulated ePHI is permitted on UITS HIPAA-capable resources only when it is related to research. UITS HIPAA-capable resources are not medical devices that comply with US Food and Drug Administration (FDA) regulations governing medical devices, and therefore are not suitable for work involving clinical ePHI (i.e., data that form an integral part of current, active patient treatment or service delivery). Additionally, the "HIPAA-capable" designation should not be confused with "HIPAA-compliant", which is an official designation applicable only to certified US federal agencies.

All IU units (and the individuals associated with them) are responsible for protecting the privacy and security of ePHI data elements with which they work. You are responsible for complying with all applicable federal and state regulations, and institutional policies governing work with HIPAA-regulated research data. This includes implementing HIPAA-required administrative, physical, and technical safeguards with regard to any person, process, application, service, or system used to collect, process, manage, analyze, or store HIPAA-regulated research data.

The use of a UITS HIPAA-capable resource does not fulfill your responsibilities for protecting the privacy and security of the HIPAA-regulated data you collect, manage, process, analyze, or store in conjunction with your research. Furthermore, any software (including operating systems) or service you deploy or administer on a UITS HIPAA-capable resource is not automatically HIPAA-capable. For example, although you are permitted to store ePHI research data on an IU Intelligent Infrastructure (II) virtual machine (VM), if you choose to manage the VM yourself you are responsible for securing not only the operating system, applications, and services running on the VM, but also the network and devices used to access the ePHI data stored on the VM.

For a list of UITS HIPAA-capable systems and services, see UITS Research Technologies systems and services for researchers working with data containing HIPAA-regulated PHI For an outline of your responsibilities and required safeguards when using UITS HIPAA-capable resources for research involving HIPAA-regulated data elements, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services

This is document ayzg in the Knowledge Base.
Last modified on 2018-01-18 16:24:53.

Contact us

For help or to comment, email the UITS Support Center.