About IU's research cyberinfrastructure and HIPAA alignment
At Indiana University, the Research Technologies division of UITS provides a variety of information technology systems and services that are suitable for use in research involving electronic protected health information (ePHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
UITS administers these resources using data security and IT management best practices that conform to standards established by the National Institute of Standards and Technology (NIST) in its Special Publication 800-53, as recommended by US Department of Health and Human Services (HHS), which oversees HIPAA regulation.
As a result, these UITS systems and services have been designated "HIPAA-aligned". The establishment of the "HIPAA-aligned" designation at IU involved an 18-month effort in 2007 and 2008, which was led by a committee representing the IU Office of Research Administration (Compliance) and the IU School of Medicine (IUSM). However, the "HIPAA-aligned" designation should not be confused with "HIPAA-compliant", which is an official designation applicable only to certified US federal agencies.
By operating "HIPAA-aligned" resources, UITS makes it possible for researchers who take the necessary precautions, as explained below, to work with data that contain ePHI.
Important: Your use of a UITS "HIPAA-aligned" system or service does not in any way fulfill your responsibilities for protecting the privacy and security of any data elements containing ePHI that you collect, manage, process, analyze, or store in connection with your research. Furthermore, any software (including operating systems) or services you deploy or administer cannot be considered "HIPAA-aligned" solely because they are hosted on a UITS "HIPAA-aligned" resource.
All IU units (and the individuals associated with them) are responsible for protecting the privacy and security of any ePHI data with which they work. They are responsible for applying the HIPAA-required administrative, physical, and technical safeguards to any person, process, application, service, or system used to collect, process, manage, analyze, or store ePHI data. In addition to complying with all applicable federal and state regulations, IU units and individuals are responsible for complying with institutional policies governing work with ePHI data.
If you use a UITS HIPAA-aligned system or service for work that involves ePHI research data, you (and/or your project's principal investigator) have the following responsibilities:
- As owner of the ePHI research data, you are responsible for
maintaining the privacy and security of that data in compliance with
applicable federal and state regulations. Make sure you understand the
HIPAA Privacy and Security rules and the
penalties for violating HIPAA. Failure to do
so may subject you to civil and criminal penalties as outlined in the
American Medical Association's HIPAA
Violations and Enforcement page.
Note: IU provides several training resources to help IU researchers with HIPAA compliance.
- You are responsible for following IU's HIPAA compliance
policies. Principal investigators conducting research involving ePHI
must submit data management plans and acquire the appropriate
Institutional Review Board (IRB) approvals before using any IU-owned
system or service to work with ePHI data. See At IU, where can I find information about IRB requirements for
working with HIPAA-regulated research data?
Additionally, IU requires that all personnel working with ePHI receive HIPAA compliance training on an annual basis. For training options, see the OVPGC HIPAA Compliance Education page.
- You are responsible for implementing administrative controls for ensuring the privacy and security of ePHI research data. Such administrative controls include maintaining appropriate access permissions for current and former project team members, and implementing user policies that protect any ePHI data your project collects.
- You are responsible for implementing technical controls that
restrict access to the ePHI research data your project collects. Such
technical controls include setting file and directory permissions that
grant read, write, and execute permissions only to the owner, and
using encryption when moving and storing data.
Note: In accordance with standards for access control mandated by the HIPAA Security Rule, you are not permitted to access ePHI data using a group (or departmental) account. To ensure accountability and enable only authorized users to access ePHI data, IU researchers must use their personal Network ID credentials for all work involving ePHI data.
The UITS Advanced Biomedical IT Core provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing ePHI research data. If you need help or have questions about managing HIPAA-regulated data at IU, contact the ABITC. For additional details about HIPAA compliance at IU, see HIPAA & ABITC and the Office of Vice President and General Counsel (OVPGC) HIPAA Privacy & Security page.
For more, see:
This is document ayzg in the Knowledge Base.
Last modified on 2015-02-13.
- Fill out this form to submit your issue to the UITS Support Center.
- Please note that you must be affiliated with Indiana University to receive support.
- All fields are required.