Compliance at Indiana University

HIPAA Privacy and Security

HIPAA Privacy and Security Reminders

Mobile Devices

  • Mobile Devices, regardless of ownership, used for work purposes must comply with IU's IT-12.1 - Mobile Device Security Standard.
  • All workforce members of IU's Health Science Schools must encrypt handheld mobile devices (e.g. tablets & smartphones), if used for any work purpose including accessing email.
  • All laptop/notebook computers, regardless of ownership, used for any work purpose (e.g. accessing IU institutional data, research data, email, etc.) must be encrypted and passphrase protected.

Email - Sharing PHI via email

  • Only use your work email when sharing sensitive data such as PHI;
  • Never forward your email to an outside account;
  • Only share PHI via email when you have a business need to do so;
  • Only share the information necessary to meet your goal and comply with the "Minimum Necessary" requirement;
  • Only send PHI to secure email addresses such as IU, IUH or Eskenazi; or
  • Include Confidential or Secure Message in the subject line to “encrypt” the message; 
  • Any mobile device used to access your IU email account Must be Encrypted;

Phishing Emails

  • IU and IUH have had employees who were victims of phishing emails.  These emails look very official as if they are from IU, IUH, the VA, etc.  The emails typically request you click on a link provided and then request information such as your user ID and password/passphrase.
  • IU, IUH, Eskenazi and the VA will never ask for your password/passphrase.  
  • DO NOT share your password/passphrase with anyone.

Minimum Necessary

  • Remember all request for, uses and disclosures of PHI with the exception of "treatment purposes" must comply with the "Minimum Necessary" standard.

Access to Information

  • Do not access any record without a business need to do so.
  • Do not access your own record, or records of family, friends, students and/or co-workers without a business need to do so.

Social Security Numbers (SSN)

  • Indiana University requires a documented business need to collect and store all nine (9) digits of an SSN.
  • When possible, only store the last four digits of the SSN.
  • If you do have a business need to store SSNs, you are required to apply the highest level of security.

Moving, Archiving or Destroying Records

  • The HIPAA Privacy Rule applies to protected health information (PHI) in any form or medium including paper and electronic records as well as verbal communication.  When moving, purging, storing or destroying any records that are considered sensitive (restricted or critical), you must do so in a secure manner. 
  • Keep track of your records!  Record information about any records sent offsite for storage or scanning:
    • Box records;
    • Number the boxes;
    • Record content information for each box including:
      • The type of data contained (e.g. SSNs, PHI, Student Data, credit card or account numbers);    
      • Names of individuals identified in the records (e.g. list of patients, list of students);
    • Create an inventory list by box numbers and descriptions;
    • Verify all boxes reached their destination;
    • If any boxes are missing:  1.  Report as an incident and 2. Investigate immediately!
  • Even "old" records containing sensitive data must be protected;
  • When in doubt always handle records as if they contain sensitive data - While purging old travel records, an office discovered patient information in the records;
  • If using an offsite storage company to store data protected under HIPAA, we must have a business associate agreement as required under the Privacy Rule;


  • Empty all file cabinets and desk before sending to Surplus
  • Verify all storage equipment is empty, then double check!