Recommended tools for encrypting data containing HIPAA-regulated PHI
Following is information about tools the Research Technologies division of UITS recommends for encrypting data that contain protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA).
Research Technologies provides several systems and services that meet certain requirements established in the HIPAA Security Rule, enabling their use for research involving data that contain PHI. However, you may use those systems for research involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place. For more, see When using UITS Research Technologies systems and services, what are my legal responsibilities for protecting the privacy and security of data containing protected health information?
On this page:
Encrypting data at rest
On Research Technologies systems
To encrypt at-rest data, use GNU Privacy Guard (GPG, also GnuPG). For instructions, see What is GPG, and how do I use it to encrypt files on IU's research computing systems?
Important: The Research File System (RFS) does not encrypt stored data, so you must encrypt data containing PHI before storing it on RFS. Even if your files are stored locally on an encrypted hard drive (e.g., using PGP Whole Disk Encryption), you still must encrypt the files individually (using an application such as AESCrypt) before transferring them to RFS.
On personal workstations
On Windows and OS X workstations, to encrypt at-rest data, use PGP Whole Disk Encryption (WDE). IU faculty, students, and staff, can download PGP WDE at no cost from the section of IUware. For more, see:
- Encrypting your Windows computer with PGP Whole Disk Encryption
- Encrypting your Mac OS X computer with PGP Whole Disk Encryption
Important: Storing PHI on laptops or other portable devices is highly discouraged. The HIPAA Security Rule mandates that data containing PHI should not be stored on laptops, USB flash drives, external hard drives, or mobile devices unless the data are anonymized or strongly encrypted.
Encrypting data transfers
To transfer data containing PHI between networked computers, use a Secure FTP (SFTP) client. SFTP clients encrypt commands and data to prevent sensitive information from being transmitted in the clear over a network.
You can use
sftp from the command line on the IU
research computing systems (and via the OS X Terminal
application). Graphical SFTP clients also are available; for IU
students, faculty, and staff, two graphical SFTP clients, CyberDuck
(for OS X) and WinSCP (for Windows), are available for free download
On the IU research systems, you also can use the
command to securely transfer data between remote hosts. SCP
encrypts the files and any passwords exchanged over the network.
Slashtmp (Critical version)
IU graduate students, faculty, and staff can use the Critical version of IU's web-based Slashtmp service to share institutional data classified as Critical, including data that contains PHI.
Your Slashtmp files will disappear automatically 30 days after you upload them (but you may delete them sooner if you wish). Slashtmp files are not backed up; when you delete a file, there is no way to recover it. Do not use Slashtmp as the only place to keep files you cannot afford to lose.
The UITS Advanced Biomedical IT Core provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing data containing PHI. If you need help or have questions about managing HIPAA-regulated data at IU, contact the ABITC. For additional details about HIPAA compliance at IU, see HIPAA & ABITC and the Office of Vice President and General Counsel (OVPGC) HIPAA Privacy & Security page.
This is document ayzi in the Knowledge Base.
Last modified on 2015-08-20.
- Fill out this form to submit your issue to the UITS Support Center.
- Please note that you must be affiliated with Indiana University to receive support.
- All fields are required.