Recommended tools for encrypting data containing HIPAA-regulated PHI

On this page:

Overview

This information is about tools that UITS Research Technologies recommends for encrypting data that contain protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA).

The Research Technologies division of UITS provides several systems and services that meet certain requirements established in the HIPAA Security Rule thereby enabling their use for research involving data that contain protected health information (PHI). However, using a UITS Research Technologies resource does not fulfill your legal responsibilities for protecting the privacy and security of data containing PHI. You may use these resources for research involving data containing PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place. For more, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services.

Encrypt data at rest

On personal workstations

Important:
Storing PHI on laptops or other portable devices is highly discouraged. The HIPAA Security Rule mandates that data containing PHI should not be stored on laptops, USB flash drives, external hard drives, or mobile devices unless the data are anonymized or strongly encrypted.

Use disk encryption on any device you use to access or store sensitive data. For disk encryption, UITS recommends:

On Research Technologies systems

To encrypt at-rest data, use GNU Privacy Guard (GPG, also GnuPG). For instructions, see Use GPG to encrypt files on IU's research supercomputers.

For more, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services.

Encrypt data transfers

SFTP

To transfer data containing PHI between networked computers, use a Secure FTP (SFTP) client. SFTP clients encrypt commands and data to prevent sensitive information from being transmitted in the clear over a network.

You can use sftp from the command line on the IU research supercomputers (and via the macOS Terminal application). Graphical SFTP clients such as CyberDuck (for macOS) and WinSCP (for Windows) are available for free download.

For more, see Use SFTP to transfer files.

SCP

On the IU research systems, you also can use the scp command to securely transfer data between remote hosts. SCP encrypts the files and any passwords exchanged over the network.

For more, see Use SCP to securely transfer files between two Unix computers.

Secure Share

IU students, faculty, and staff can use Secure Share to share Critical data, including data that contains PHI.

Your Secure Share files will disappear automatically 30 days after you upload them (but you may delete them sooner if you wish). Secure Share files are not backed up; when you delete a file, there is no way to recover it. Do not use Secure Share as the only place to keep files you cannot afford to lose.

Get help

If you have questions about securing HIPAA-regulated research data at IU, email securemyresearch@iu.edu. SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data; for more, see About SecureMyResearch. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.

This is document ayzi in the Knowledge Base.
Last modified on 2023-03-28 12:56:56.