When using UITS Research Technologies systems and services, what are my legal responsibilities for protecting the privacy and security of data containing protected health information (PHI)?
On this page:
About PHI and HIPAA compliance at IU
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).
According to HIPAA, Indiana University is considered a covered entity with hybrid status (i.e., IU is a single legal entity with areas that are affected by HIPAA and others that are not). At IU, a unit is considered a "HIPAA Affected Area" if:
- It has access to PHI through its work as a health care provider, health plan, or an associated supporting service.
- It works with PHI for education or research purposes.
At IU, the regulations and policies governing PHI are applicable to all IU-owned information technology systems and services, whether they are administered by UITS, by a school, or by another academic or administrative department. HIPAA compliance at IU is coordinated by the Chief Compliance Officer in the Office of the Vice President and General Counsel (OVPGC).
Your legal responsibilities when working with PHI
All "HIPAA Affected Areas" at IU (including all individuals associated with those areas) are responsible for protecting the privacy and security of data PHI with which they work. You are responsible for complying with all applicable federal and state regulations, and institutional policies governing work with HIPAA-regulated PHI. This includes implementing HIPAA-required administrative, physical, and technical safeguards with regard to any person, process, application, service, or system used to collect, process, manage, analyze, or store PHI.
In accordance with IU's HIPAA compliance policies, any principal investigator who wishes to conduct research involving PHI must acquire the appropriate Institutional Review Board (IRB) approval before using any IU-owned resource for work involving PHI. For more, see At IU, where can I find information about IRB requirements for research that involves HIPAA-regulated PHI?
Additionally, IU requires that all personnel working with HIPAA-regulated data receive compliance training on an annual basis. For training options, see the OVPGC HIPAA Compliance Education page.
The Research Technologies division of UITS provides several systems and services that meet certain requirements established in the HIPAA Security Rule, thereby enabling their use for research involving data that contain PHI. However, using a UITS Research Technologies resource does not fulfill your legal responsibilities for protecting the privacy and security of data containing PHI. You may use these resources for research involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.
Furthermore, any application (including operating systems) or service you deploy or administer on a Research Technologies resource does not automatically meet the standards required for work involving PHI. For example, although you are permitted to store research data that contain PHI on an IU Intelligent Infrastructure (II) virtual machine (VM), if you choose to manage the VM yourself you are responsible for securing not only the operating system, applications, and services running on the VM, but also the network and devices used to access the data stored on the VM.
Data containing PHI are permitted on UITS Research Technologies resources only when they are related to research. UITS Research Technologies resources are not appropriate for handling data that are part of current, active patient treatment or service delivery (i.e., they are not medical devices that comply with regulations governing medical devices).
For a list of UITS Research Technologies systems and services that are capable of handling research data that contain PHI, see What systems and services does UITS Research Technologies provide for researchers working with data containing HIPAA-regulated PHI?
Make sure you understand the HIPAA Privacy and Security rules and the penalties for violating HIPAA. Non-compliance may subject you to civil and criminal penalties as outlined in the American Medical Association's HIPAA Violations and Enforcement page.
UITS provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing data containing PHI. If you have questions about managing HIPAA-regulated data at IU, or need help, contact UITS HIPAA Consulting. For additional details about HIPAA compliance at IU, see HIPAA Privacy & Security on the University Compliance website.
For more OVPGC resources, see:
This is document ayzm in the Knowledge Base.
Last modified on 2017-02-17 14:19:12.
- Fill out this form to submit your issue to the UITS Support Center.
- Please note that you must be affiliated with Indiana University to receive support.
- All fields are required.