ARCHIVED: Types of sensitive institutional data appropriate for IU REDCap

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

In accordance with laws and university policies that protect the privacy and security of institutional data, Indiana University's implementation of the Research Electronic Data Capture service (IU REDCap) is appropriate for work involving the following types of institutional data:

Research data that contain PHI: IU REDCap meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using IU REDCap does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use IU REDCap for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place. For more, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services.
Note:
- Files containing PHI must be encrypted when they are stored (at rest) and when they are transferred between networked systems (in transit). For more, see Recommended tools for encrypting data containing HIPAA-regulated PHI.
- To ensure accountability and prevent access by unauthorized users, you are not permitted to use a group (or departmental) account for work involving PHI.
- Although PHI is classified as Critical data, other types of institutional data classified as Critical are not permitted on Research Technologies systems. For help determining which institutional data elements classified as Critical are considered PHI, see About protected health information (PHI) data elements in the classifications of institutional data.
- If you have questions about securing HIPAA-regulated research data at IU, email securemyresearch@iu.edu. SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data; for more, see About SecureMyResearch. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.
Institutional data classified as Public: IU REDCap is appropriate for work involving institutional data classified as Public.

Official classifications for institutional data at IU are defined in Management of Institutional Data (DM-01). If you have questions about the classifications of institutional data at IU, see Classification levels of institutional data, use the Data Sharing and Handling (DSH) tool, or contact the appropriate Data Stewards. To determine the most sensitive classification of institutional data you can store on any given UITS service, see Choose an appropriate storage solution.

If you have questions about IU REDCap, or need help setting up or managing an IU REDCap project, email IU REDCap support.