About IU's HIPAA-capable research cyberinfrastructure

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards for maintaining the confidentiality, integrity, and availability of protected health information (PHI), requiring organizations and individuals to implement a series of administrative, physical, and technical safeguards when working with PHI.

At Indiana University, the Research Technologies division of UITS provides several information technology systems and services that meet certain requirements established by the HIPAA Security Rule. IU researchers may use UITS HIPAA-capable services for work involving data protected under HIPAA, including ePHI, only if they institute additional physical, administrative, and technical safeguards that complement those UITS already has in place.

HIPAA-regulated ePHI is permitted on UITS HIPAA-capable resources only when it is related to research. UITS HIPAA-capable resources are not medical devices that comply with US Food and Drug Administration (FDA) regulations governing medical devices, and therefore are not suitable for work involving clinical ePHI (i.e., data that form an integral part of current, active patient treatment or service delivery). Additionally, the "HIPAA-capable" designation should not be confused with "HIPAA-compliant", which is an official designation applicable only to certified US federal agencies.

All IU units (and the individuals associated with them) are responsible for protecting the privacy and security of ePHI data elements with which they work. You are responsible for complying with all applicable federal and state regulations, and institutional policies governing work with HIPAA-regulated research data. This includes implementing HIPAA-required administrative, physical, and technical safeguards with regard to any person, process, application, service, or system used to collect, process, manage, analyze, or store HIPAA-regulated research data.

The use of a UITS HIPAA-capable resource does not fulfill your responsibilities for protecting the privacy and security of the HIPAA-regulated data you collect, manage, process, analyze, or store in conjunction with your research. Furthermore, any software (including operating systems) or service you deploy or administer on a UITS HIPAA-capable resource is not automatically HIPAA-capable. For example, although you are permitted to store ePHI research data on an IU Intelligent Infrastructure (II) virtual machine (VM), if you choose to manage the VM yourself you are responsible for securing not only the operating system, applications, and services running on the VM, but also the network and devices used to access the ePHI data stored on the VM.

For a list of UITS HIPAA-capable systems and services, see What technology resources does IU provide for researchers working with data elements containing HIPAA-regulated ePHI? For an outline of your responsibilities and required safeguards when using UITS HIPAA-capable resources for research involving HIPAA-regulated data elements, see When using UITS HIPAA-capable systems at IU, what safeguards must I implement to comply with rules that protect the privacy and security of electronic protected health information?

The UITS Advanced Biomedical IT Core provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing data containing PHI. If you need help or have questions about managing HIPAA-regulated data at IU, contact the ABITC. For additional details about HIPAA compliance at IU, see HIPAA & ABITC and the Office of Vice President and General Counsel (OVPGC) HIPAA Privacy & Security page.

This is document ayzg in the Knowledge Base.
Last modified on 2015-04-15.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.