Recommended encryption tools for handling ePHI at IU

Following is information about tools UITS recommends for encrypting electronic protected health information (ePHI) and other sensitive data regulated by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Important: Although you can store ePHI and other HIPAA-regulated data on IU research systems, you (and/or your project's principal investigator) are responsible for maintaining the privacy and security of that data in compliance with applicable federal and state regulations and university policies. For more, see At IU, what types of sensitive data are appropriate for the research computing systems?

On this page:

Encrypting data at rest

On the IU research systems

On the Indiana University research computing systems, to encrypt at-rest ePHI and other HIPAA-regulated data, use GNU Privacy Guard (GPG, also GnuPG). For instructions, see What is GPG, and how do I use it to encrypt files on IU's research computing systems?

Important: Although the Research File System (RFS) is HIPAA-capable, RFS does not encrypt stored data, so you must encrypt electronic protected health information (ePHI) before storing it on RFS. If your files are stored locally on an encrypted hard drive (e.g., using PGP Whole Disk Encryption), you still must encrypt the files individually (using an application such as AESCrypt) before transferring them to RFS.

On personal workstations

On Windows and OS X workstations, to encrypt at-rest ePHI and other sensitive data, use PGP Whole Disk Encryption (WDE). IU faculty, students, and staff, can download PGP WDE at no cost from the Security section of IUware. For more, see:

Important: Storing ePHI on laptops or other portable devices is highly discouraged. The HIPAA Security Rule mandates that ePHI data should not be stored on laptops, flash drives, external hard drives, or mobile devices, unless the data are anonymized or strongly encrypted.

Back to top

Encrypting data transfers


To transfer ePHI and other HIPAA-regulated sensitive data between networked computers, use a Secure FTP (SFTP) client. SFTP clients encrypt commands and data to prevent sensitive information from being transmitted in the clear over a network.

You can use sftp from the command line on the IU research computing systems (and via the OS X Terminal application). Graphical SFTP clients also are available; for IU students, faculty, and staff, two graphical SFTP clients, CyberDuck (for OS X) and WinSCP (for Windows), are available for free download from IUware.

For more, see: What is SFTP, and how do I use an SFTP client to transfer files?


On the IU research systems, you also can use the scp command to securely transfer data between remote hosts. SCP encrypts the files and any passwords exchanged over the network.

For more, see In Unix, how do I use SCP to securely transfer files between two computers?

Slashtmp (Critical version)

To share HIPAA-regulated data via a web interface, IU graduate students, faculty, and staff can use the Critical version of IU's Slashtmp service.

Important: When using Slashtmp to store data subject to HIPAA regulations, or other information classified as critical at IU (e.g., Social Security numbers, credit card numbers, or bank account numbers), you must choose the "Critical" version from the Slashtmp home page before proceeding with your upload.

Your Slashtmp files will disappear automatically 30 days after you upload them (but you may delete them sooner if you wish). Slashtmp files are not backed up; when you delete a file, there is no way to recover it. Do not use Slashtmp as the only place to keep files you cannot afford to lose.

For instructions, see Uploading a file using the Critical version in At IU, what is Slashtmp, and how do I use it?

Back to top

Getting help

The UITS Advanced Biomedical IT Core provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing data containing PHI. If you need help or have questions about managing HIPAA-regulated data at IU, contact the ABITC. For additional details about HIPAA compliance at IU, see HIPAA & ABITC and the Office of Vice President and General Counsel (OVPGC) HIPAA Privacy & Security page.

Back to top

This is document ayzi in the Knowledge Base.
Last modified on 2015-04-15.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.