HIPAA-Aligned Service Guidelines

You are ultimately responsible for securing your HIPAA-protected ePHI.

The Advanced Biomedical IT Core and Research Technologies have undergone exhaustive gap and risk analyses by an external third party and have used the results to fill existing gaps and to develop a comprehensive, ongoing risk management plan. As a result, the Office of Research Administration has formally affirmed its confidence in our ability to keep ePHI on our systems safe. Contact us if you would like more information.

While we ensure that your data will stay safe with us, you are still the data owner and thus ultimately and legally responsible for securing your HIPAA-protected ePHI.

Any software (application or system) and/or service you may deploy and administer on your own using the systems and services infrastructure provided by the Advanced Biomedical IT Core is NOT HIPAA aligned.

HIPAA is complicated and managing HIPAA-regulated data on IT systems should be done only by people properly trained, on systems that have been documented and reviewed by the IU Office of Research Administration (HIPAA Compliance). This typically cannot be delivered by groups who have not gone through extensive and rigorous HIPAA training and external review and have themselves been reviewed by the Compliance Office. Having undergone this process, the Advanced Biomedical IT Core is happy to host sensitive data and applications that manage them.