Many vendors claim HIPAA compliance.  Unfortunately, this does not mean that your use of the software or service satisfies HIPAA requirements, only that the vendor may have certain HIPAA safeguards in place.  Additional due diligence is required to ensure institutional HIPAA compliance.  We must make sure that

  • the vendor's HIPAA efforts are adequate to protect IU's PHI, and
  • IU (including you) has in place the requisite complementary controls to ensure an end to end, HIPAA compliant workflow.

Prerequisites

  1. Secure your own environment.

Directions

  1. If you are acquiring a software or service where PHI will be stored on a vendor system, ensure that it is approved for PHI. 
    1. For approved software/services, IU will have done a 3rd party security assessment (of the vendor) to ensure that
      1. they are able to keep IU's PHI secure, and
      2. there is a HIPAA-required Business Associate Agreements (BAA) in place with the vendor.
        1. Email Claire Tempel, the IU HIPAA Privacy Officer, to check if we have a BAA with the vendor.  
        2. IU has BAAs with Microsoft, Amazon, and Google for Azure, AWS, and Google Cloud Platform (and many other vendors).
        3. Many cloud services (e.g. Box) use Azure, AWS, or GCP infrastructure, but still need a BAA before IU can store any PHI with them.
  2. If the software/service is not approved for PHI, please follow the institutional process and get approval.
  3. Email securemyresearch@iu.edu and we will help you assess your workflow as you use the software/service and ensure it satisfies HIPAA requirements.

We want your feedback

Please email securemyresearch@iu.edu to report errors/omissions and send critiques, suggestions for improvements, new use cases/recipes, or any other positive or negative feedback you might have.  It will be your contribution to the Cookbook and appreciated by all who use it.