At IU, which dedicated file storage services and IT services with storage components are appropriate for sensitive institutional data, including research data containing protected health information?

At Indiana University, UITS provides students, faculty, and staff with a variety of dedicated file storage services (e.g., Enterprise Box, the Scholarly Data Archive, Slashtmp) and several information technology services that feature storage components (e.g., Exchange and Webserve). Some of these services are suitable for storing sensitive institutional data, and some are not. Additionally, some services are baseline IT services (requiring no additional user fees), and some are fee-based services billed directly to the end user (e.g., an IU department or school).

Following is information to help you understand your legal responsibilities when working with institutional data at IU and identify which UITS services are appropriate for storing various types of institutional data. When working with sensitive institutional data, particularly data that contain protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you must make sure the IT services you're using meet the strict data management standards required to protect the security and privacy of your data.

Note:
In accordance with standards for access control mandated by the HIPAA Security Rule, you are not permitted to access data containing protected health information (PHI) using a group (or departmental) account. To ensure accountability and permit access to authorized users only, IU researchers must use their personal IU username and passphrase for all work involving PHI.

On this page:


Classifications and management standards for institutional data at IU

Protecting the privacy and security of digital information is a leading concern for information technology users and providers alike. Federal and state laws regulate how institutions, such as businesses, hospitals, and universities, manage the data they collect from the individuals they serve. Federal agencies have funding policies that include stringent requirements for securely managing research data collected from human subjects. Certain types of data, including financial, legal, academic, and health care data, are considered sensitive because misusing them can lead to identity theft, personal financial loss, invasion of privacy, or other forms of unauthorized access.

At IU, official classification levels for institutional data are defined in the university's Management of Institutional Data (DM-01) policy. Sensitive institutional data elements are classified as Restricted or Critical, and are protected by federal and state laws, and by IU policy.

IU's official data management standards cover all classifications of institutional data, but especially stringent standards apply to work that involves institutional data classified as Restricted or Critical. These standards include rules for managing access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing all types of institutional data elements (i.e., not just those that are considered sensitive).

These standards apply to all users and administrators of IU information technology resources. Every individual who works with sensitive institutional data at IU is responsible for knowing and adhering to IU's official data management standards to help prevent inappropriate disclosures of personal or confidential information that, according to federal and state laws, can result in criminal or civil penalties.

For more, see:

If you have questions about the classifications of institutional data, contact the appropriate Data Steward.

For help understanding how to securely handle, store, and share institutional data, use the Data Storage and Handling (DSH) tool.

Important considerations regarding protected health information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

Researchers working with data containing PHI are legally responsible for protecting the privacy and security of that data in compliance with all applicable federal and state regulations (and university policies). UITS Research Technologies provides several systems and services that meet certain requirements established in the HIPAA Security Rule, enabling their use for research involving data that contain protected health information (PHI). Researchers may use these resources for research involving data that contain PHI only if they institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

Carefully consider the following warnings:

  • UITS Research Technologies resources are not appropriate for handling data that are part of current, active patient treatment or service delivery (i.e., they are not medical devices that comply with regulations governing medical devices).
  • Using a Research Technologies resource does not fulfill your legal responsibilities (as noted above) for protecting the privacy and security of research data that contain PHI. Furthermore, any application (including operating systems) or service you deploy or administer on a Research Technologies resource does not automatically meet the standards required for work involving PHI.
  • You are legally responsible for securing the end-to-end flow of research data containing PHI as they pass from collection instruments to workstations, from workstations (via local area networks) to departmental servers, and from departmental servers (via the IU network) to UITS central systems.

For details, see When using UITS Research Technologies systems and services, what are my legal responsibilities for protecting the privacy and security of data containing protected health information (PHI)?

Note:
Although PHI is one type of institutional data classified as Critical at IU, other types of institutional data classified as Critical are not permitted on Research Technologies systems. Except for PHI, the most sensitive classification of institutional data allowed on Research Technologies resources is Restricted. For help determining which institutional data elements classified as Critical are considered PHI, see Which data elements in the classifications of institutional data are considered protected health information (PHI)?

UITS provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing data containing PHI. If you have questions about managing HIPAA-regulated data at IU, or need help, contact UITS HIPAA Consulting. For additional details about HIPAA compliance at IU, see HIPAA Privacy & Security on the University Compliance website.

Important considerations for federally funded research projects

The National Science Foundation (NSF) and National Institutes of Health (NIH) have specific policies governing the retention, dissemination, and sharing of research results. Proposals for NSF-funded projects require formal data management plans. NIH-funded projects must submit peer-reviewed journal manuscripts to PubMed Central (PMC) and include PMC reference numbers for those papers when citing them in proposals for further NIH support.

UITS Research Technologies can help researchers prepare data management plans and provide post-award grant support. For more, see What cyberinfrastructure facilities and information do UITS and the Pervasive Technology Institute provide to help me prepare grant proposals and data management plans?

Choosing an appropriate storage solution

UITS offers several services appropriate for storing institutional data elements of various classifications. Use the table below to compare key attributes of dedicated file storage services and IT services with storage components available at IU, so you can determine which services are suitable for storing your data. If you need help determining the most sensitive classification of institutional data you can store on any given UITS service, contact the University Information Policy Office (UIPO), or use the Data Storage and Handling (DSH) tool.

Note:

According to IU's Cyber Risk Mitigation Responsibilities (IT-28) policy, all IU units must deploy and use IT systems and services in ways that vigilantly mitigate cyber risks (e.g., cybersecurity risks, security risks to physical systems, and risks arising from natural disasters or potential infrastructure failures), and recommends that all IU units use, to the greatest extent practicable, the secure facilities, common IT infrastructure, and enterprise services provided by UITS. For more, see:

Dedicated file storage services

Service Approved
for PHI
Most sensitive institutional data classification allowed (other than PHI) 1 Role-
based
access
control
Native
mobile
app
integration
Cross-
platform
Default
allotment
Maximum
file size
Inline
preview
Permanent
storage
Offline
sync
Backups Cost 2
Box
File sharing and storage
Only with BHDA Restricted 3 Yes Yes Yes Unlimited 15 GB Yes Yes Yes Yes No charge
(baseline service)
Data Capacitor II
Temporary storage of research data
Yes 4 Restricted Yes No No 10 TB
(project directories)
n/a
(scratch directories) 5
10 TB No No 6 No No No charge
(baseline service)
Google Drive at IU 7
File sharing and storage, project sites
No Restricted 8 Yes Yes Yes Unlimited 5 TB Yes Yes No No No charge
(baseline service)
HELPnet
Critical Data Infrastructure
File storage for critical data
Yes Critical Yes No Yes Unlimited Varies by
format
No Yes No Yes $30/user/month
(discounts available based on total number of users)
OneDrive for Business
File sharing and storage
No University-internal Yes Yes Yes 1 TB 2 GB Yes Yes No No No charge
(baseline service)
OnBase
Secure electronic document storage
No Critical Yes No Yes Unlimited 2 GB 9 No Yes No Yes No charge
(baseline service)
Scholarly Data Archive
Archival storage for research data
Yes Restricted Yes Web only Yes 50 TB 10 TB No Yes No No  10 No charge
(up to 50 TB)  11
Slashtmp Critical
Sharing critical data
Yes Critical Yes Web only Yes 4 GB 2 GB No No  12 No No No charge
(baseline service)
Slashtmp Simple
Sharing non-critical data
No Public Yes Web only Yes 4 GB 2 GB No No  12 No No No charge
(baseline service)

IT services with storage components

Service Approved
for PHI
Most sensitive institutional data classification allowed (other than PHI) 13 Role- based access control Native mobile app integration Cross-
platform
Default
allotment
Maximum
file size
Inline
preview
Permanent storage Offline
sync
Backups Cost 14
Advanced Visualization Lab
Long-term storage for visualization data
Yes Restricted Varies by
service 15
No No Varies by
project
Varies by
system
Varies by
system
Varies by
system
No No 16 No charge
(baseline service)
Canvas Files tool
Storage and file sharing (for purposes directly related to course or group work only)
No Restricted Yes Yes Yes 4 GB
(Courses)

300 MB
(Groups)

1 GB
(Individuals)
2 GB Yes Yes No Yes No charge
(baseline service)
Confluence
Online collaborative environment for enterprise intranets, knowledge management, and documentation
No University-internal Yes Yes Yes Varies by
project
244 MB Yes Yes No Yes No charge
(baseline service)
Consolidated Hosting Environment
Storage for web applications
Yes Critical Yes No Yes 10 GB None No Yes No Yes No charge for initial 10 GB allotment; additional space is $1.35/GB/year
(includes storage and backup)
Data Services for Departments and Instruction
Database and web server storage for instruction
No Public No Web only No 3 MB
(Oracle
and IIS)
Varies by
format
No No No Yes No charge
(baseline service)
Exchange
Email storage
No 17 Public 17 No Yes Yes 50 GB 50 MB Varies by
client
Yes Varies by
client
Yes No charge
(baseline service)
Intelligent Infrastructure
Virtual machine storage
Yes Critical Yes No No 35 GB Varies by
operating
system
No Yes 18 No Yes 19 $1/GB/year (storage)

$0.35/GB/year (backup) 20
IUanyWare
Cloud storage
No Restricted Varies by
system
Yes Yes Varies by
system
Varies by
system
Yes Varies by
system
Varies by
system
Varies by
system
No charge
(baseline service)
REDCap
Storage and sharing of tabular research data
Yes Restricted Yes No Yes None 21 Varies by
number of
records collected
Records are
viewable
within REDCap
Yes No Yes No charge
(baseline service)
Research supercomputers
World-class research computing systems with home directory storage for code development and job scripts, plus local scratch space for temporary storage of application data
Yes 22 Restricted Yes No No 100 GB 23 10 GB 24 No Yes
(home directories)

No 25
(scratch directories)
No Yes
(home directories)

No
(scratch directories)
No charge
(baseline service)
SharePoint Online
Collaboration and content management
No Restricted 26 Yes Yes
(native in browser)
Yes 20 GB 10 GB Office files Yes Yes
(but not recommended) 27
Yes No charge
(baseline service)
Webserve
Storage for web applications
No Restricted Yes No Yes 1 GB
(Webserve)

1 GB
(MySQL)
1 GB No Yes No Yes $1.35/GB/year (includes storage and backup)
Notes:
The following notes are referenced in the tables above:

1 Some services approved for storing data containing PHI are not approved for storing other institutional data classified as Critical. Consequently, some HIPAA-capable systems have "Restricted" listed as the most sensitive institutional data classification allowed, even though they're capable of storing PHI (which is classified as Critical). If you need help determining the most sensitive institutional data classification allowed on any UITS service, contact the University Information Policy Office (UIPO).

2 For the most current pricing information for fee-based services, see Rates and costs of services, click to open the current-year "Rates for Direct-bill Services" document for your campus, and then browse that document to find information about the service in which you are interested.

3 UITS strongly recommends using Box Entrusted Data Accounts for any Restricted data stored in Box.

4 The Data Capacitor II (DC2) file system (/N/dc2/) meets certain requirements in the HIPAA Security Rule that enable its use with research data containing PHI, the Data Capacitor Wide Area Network (DC-WAN) file system (/N/dcwan/) is not suitable for data containing PHI. If you have questions, contact UITS HIPAA consulting.

5 Scratch space on the DC2 file system (/N/dc2/) is not allocated; its total capacity fluctuates, based on project space requirements.

6 On the DC2 file system (/N/dc2/), files more than 60 days old are periodically purged (following user notification). If you have questions, contact the UITS High Performance File System team.

7 Google at IU accounts are administered by UITS and are not related in any way to personal Google accounts. You should keep your personal Google account separate from your Google at IU account. For more, see How do I use Google at IU if I already have a personal Google account?

8 Google at IU is not appropriate for certain types of restricted data sets (student, employee, etc.), or for personally or individually identifiable research data. Consult your IT manager and executive management for appropriate storage options.

9 OnBase is not designed for files larger than 100 MB but is capable of handling them. If you have questions, contact the OnBase team.

10 Due to the mammoth volume of data stored on the Scholarly Data Archive, backups are neither practical nor economical. The SDA doesn't have an offline, traditional backup system, so any deletion you perform will cause an irreversible loss of data. Although files are not backed up, two tape copies are saved by default (one at IU Bloomington; another at IUPUI) and are never purged by administrators. If you have questions or need help, email the UITS Research Storage team.

11 For storage capacity exceeding 50 TB, a short formal request or some cost recovery is needed. When in support of authorized research activities, extensions beyond 50 TB are routinely granted at no charge. For help, email the UITS Research Storage team.

12 Slashtmp files are purged 30 days after you upload them. If you have a question or need help with Slashtmp, contact your campus Support Center.

13 Some services approved for storing data containing PHI are not approved for storing other institutional data classified as Critical. Consequently, some HIPAA-capable systems have "Restricted" listed as the most sensitive institutional data classification allowed, even though they're capable of storing PHI (which is classified as Critical). If you need help determining the most sensitive institutional data classification allowed on any UITS service, contact the University Information Policy Office (UIPO).

14 For the most current pricing information for fee-based services, go to Rates and costs of UITS services, click to open the current-year "Rates for Direct-bill Services" document for your campus, and then browse that document to find information about the service in which you are interested.

15 Access to all visualization systems is physical (i.e., you must be in the room with the device to use it). Currently, no remote access or virtual desktop support is available. To request physical access to visualization devices, email the AVL. An AVL staff member will meet with you to discuss your project and proposed usage scenario. Once your proposed use is approved, AVL staff will provide an orientation and training to get you started using the system. Most visualization systems have 24/7 access via keycards.

16 All visualization systems have local storage areas, but they are not backed up and are purged regularly. Before each working session, you must import all data and program files from a long-term storage medium, and transfer them back to long-term storage when you're finished. All visualization systems have USB support and are connected to the IU network, so you can use long-term storage media, such as USB (flash or magnetic) drives, and network-enabled storage services, such as the Scholarly Data Archive. If you have questions, contact the AVL.

17 Do not send or receive sensitive data via email unless it is required by your role within the university. It is suggested that you first explore using Slashtmp Critical, Box Health Data Accounts, or Box Entrusted Data Accounts for your purposes before considering email. If you are unsure whether email is appropriate for a particular situation, consult with the appropriate Data Steward and the UIPO. After considering other alternatives and if required by your role, sending sensitive email from one IU account (on Exchange) to another is considered secure because of technical and physical safeguards employed. Since a recipient may forward any message you send, or may have IU email configured to send all messages to an outside account, make sure you always tag all email messages containing sensitive data, even ones to IU addresses, to force encryption. IU mail servers use the Cisco Registered Envelope Service (CRES) to encrypt email; always force encryption for messages that contain sensitive data. For more, see Should I send confidential information via email?

18 You can use storage on virtual machines as raw space or for file storage within an operating system. For service details, see Virtual Systems.

19 You can purchase data protection services on a gigabyte-per-year basis and additional storage capacity on a per-gigabyte basis.

20 UITS will retire Tivoli Storage Manager (TSM) as a backup and recovery service on December 31, 2016. TSM clients running in the Intelligent Infrastructure (II) will be migrated to CommVault, an enterprise backup and recovery solution that can potentially reduce costs for many II clients (depending on data types and recovery profiles). Additionally, as of July 1, 2016, rates for TSM backup services will increase from $0.35/GB/year to $0.65/GB/year to reflect increased vendor maintenance costs. If you have questions or concerns, email UITS Storage and Virtualization.

21 REDCap is a secure web application for building and managing online surveys and databases. Although REDCap stores survey response records that may contain PHI, REDCap is not a data storage solution; therefore, accounts do not have default allotments. If you have questions, email Indiana CTSI support.

22 Home directories and local scratch space on the research computing systems meet certain requirements in the HIPAA Security Rule that enable their use with research data containing PHI; however, simply storing research data containing PHI on a UITS Research Technologies computing system is not enough to fulfill your responsibilities for protecting the privacy and security of that PHI. Before storing PHI on an IU research computing resource, be sure you understand the information in the Important considerations regarding PHI section of this document. If you have questions or need help, contact UITS HIPAA consulting.

23 Home directories on IU's research computing systems are hosted on a centralized network-attached storage (NAS) device. Upon creating an account on any of IU's research computing systems, you are allotted 100 GB of home directory disk storage on the NAS device. If you create additional accounts on other research computing systems, the 100 GB allotment is shared among those accounts. No quotas are enforced on local scratch directories; the amount of local scratch space varies by system.

24 Maximum file sizes: Home directories (10 GB); local scratch directories (varies by system)

25 Purge policies for local scratch space varies by system; see On IU's research systems, how much allocated and short-term storage capacity is available to me?

26 SharePoint Online is appropriate for use with institutional data classified as Public, University-internal, or Restricted. Use with data classified as Critical requires approval from the appropriate Data Steward.

27 For security reasons, the SharePoint Online Sync button is hidden by default. Do not enable SharePoint Online sync unless you are certain no data classified as Restricted or higher will be shared on your site, and you followed best practices in educating your users; for more, see About OneDrive for Business and SharePoint Online file syncing and sharing.

Further reading

For more about working with sensitive institutional data at IU, see IU's Critical Data Guide.

Additionally, see:

This is document bduo in the Knowledge Base.
Last modified on 2017-03-02 13:13:23.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.