HIPAA & ABITC
On January 29, 2009, the UITS Advanced Biomedical IT Core (then called the Advanced IT Core), Research Technologies, and Enterprise Infrastructure divisions reached a new milestone: many of our technology services became formally aligned1 with the federal Health Information Portability and Accountability Act (HIPAA). We are one of very few research computing organizations in the nation to achieve this feat, and we maintain an environment of strict physical, technical and administrative controls on our systems. Being aligned with HIPAA means that our supercomputers, storage, visualization systems, and virtual machine environments can now better support medical research at the IU School of Medicine (IUSM) and beyond. We have for many years provided confidential, high integrity and availability information in support of research across IU campuses. As part of our HIPAA alignment process, our security management is now compatible with security best practices standards (specifically NIST 800-53) as recommended by US Department of Health and Human Services.
We can now provide solutions to analyze, store, serve, or visualize electronic personal health information (ePHI) and other sensitive data (including clinical research data) with confidence, knowing that we have gone through a rigorous, and ongoing, risk management and security enhancement process, overseen by a committee representing the Office of Research Administration, IUSM faculty and administration, and the IUSM CIO. The Office of Research Administration has provided a formal memorandum of their confidence in our ability to protect data for research projects that involve electronic protected health Information (ePHI).
NOTE: All new software applications require review by the Compliance Office.
What Research Technologies provides
At the IUSM, ONLY Research Technologies and Information Services and Technology Management (ISTM) have completed the organizational review necessary to manage ePHI. We provide the following, in accordance with HIPAA:
Physical Security – servers are in physically secure environments with stable power and environmental controls.
Technical Security – services are maintained by a professional staff who implement and maintain high quality security controls, undertake periodic testing, and are trained in human subjects protections and HIPAA.
Administrative Security – software applications are managed in accordance with HIPAA to ensure appropriate access controls, auditing, and other applications management features that are required for ePHI.
You, as the data owner, are responsible for keeping your data and practices secure as required by HIPAA.
Any software (application or system) and/or service you may deploy and administer on your own using the systems and services infrastructure provided by the Advanced Biomedical IT Core is NOT HIPAA-aligned. HIPAA is complicated and managing HIPAA-regulated data on IT systems should be done only by people properly trained, on systems that have been documented and reviewed by the IU Office of Research Administration (HIPAA Compliance). This typically cannot be delivered by groups who have not gone through extensive and rigorous HIPAA training and external review and have themselves been reviewed by Compliance. Having undergone this process, the Advanced Biomedical IT Core is happy to provide assistance and/or hosting of sensitive data/applications.
You cannot use our services with clinical data that are part of current, active patient treatment. (Our systems are not "medical devices" regulated by the FDA and we are NOT compliant with FDA rules controlling medical devices.)
1The Advanced Biomedical IT Core underwent exhaustive gap and risk analyses by an external third party and used the results to fill existing gaps and to develop a comprehensive, ongoing risk management plan as part of this process.