Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services

On this page:

About PHI and HIPAA compliance at IU

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

According to HIPAA, Indiana University is considered a covered entity with hybrid status (IU is a single legal entity with areas that are affected by HIPAA and others that are not). At IU, a unit is considered a "HIPAA Affected Area" if:

  • It has access to PHI through its work as a health care provider, health plan, or an associated supporting service.
  • It works with PHI for education or research purposes.

At IU, the regulations and policies governing PHI are applicable to all IU-owned information technology systems and services, whether they are administered by UITS, by a school, or by another academic or administrative department. HIPAA compliance at IU is coordinated by the Chief Compliance Officer in the University Compliance Office. For more, see HIPAA Privacy and Security Compliance.

Your legal responsibilities when working with PHI

All HIPAA Affected Areas at IU (including all individuals associated with those areas) are responsible for protecting the privacy and security of PHI with which they work. You are responsible for complying with all applicable federal and state regulations, and institutional policies governing work with HIPAA-regulated PHI. This includes implementing HIPAA-required administrative, physical, and technical safeguards with regard to any person, process, application, service, or system used to collect, process, manage, analyze, or store PHI.

In accordance with IU's HIPAA compliance policies, any principal investigator who wishes to conduct research involving PHI must acquire the appropriate Institutional Review Board (IRB) approval before using any IU-owned resource for work involving PHI. For more, see Find information about IRB requirements for research at IU that involves HIPAA-regulated PHI.

Additionally, IU requires that all personnel working with HIPAA-regulated data receive compliance training on an annual basis. For training options, see the University Compliance Office's HIPAA Training and Education page.

The Research Technologies division of UITS provides several systems and services that meet certain requirements established in the HIPAA Security Rule thereby enabling their use for research involving data that contain protected health information (PHI). However, using a UITS Research Technologies resource does not fulfill your legal responsibilities for protecting the privacy and security of data containing PHI. You may use these resources for research involving data containing PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

Furthermore, any application (including operating systems) or service you deploy or administer on a Research Technologies resource does not automatically meet the standards required for work involving PHI. For example, although you are permitted to store research data that contain PHI on an IU Intelligent Infrastructure (II) virtual machine (VM), if you choose to manage the VM yourself you are responsible for securing not only the operating system, applications, and services running on the VM, but also the network and devices used to access the data stored on the VM.

Data containing PHI are permitted on UITS Research Technologies resources only when they are related to research. UITS Research Technologies resources are not appropriate for handling data that are part of current, active patient treatment or service delivery (they are not medical devices that comply with regulations governing medical devices).

For a list of UITS Research Technologies systems and services that are capable of handling research data that contain PHI, see UITS Research Technologies systems and services for researchers working with data containing HIPAA-regulated PHI.

Make sure you understand the HIPAA Privacy and Security rules and the penalties for violating HIPAA. Non-compliance may subject you to civil and criminal penalties as outlined in the American Medical Association's HIPAA Violations and Enforcement page.

Get help

If you have questions about securing HIPAA-regulated research data at IU, email SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data; for more, see About SecureMyResearch. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.

This is document ayzm in the Knowledge Base.
Last modified on 2021-09-22 13:08:29.