Indiana University

Compliance at Indiana University

HIPAA Privacy and Security

HIPAA Privacy and Security Reminders

Mobile Devices

  • Mobile Devices, regardless of ownership, used for work purposes must comply with IU's IT-12.1 - Mobile Device Security Standard.
  • All workforce members of IU's Health Science Schools must encrypt handheld mobile devices (e.g. tablets & smartphones), if used for any work purpose including accessing email.
  • All laptop/notebook computers, regardless of ownership, used for any work purpose (e.g. accessing IU institutional data, research data, email, etc.) must be encrypted and passphrase protected.

Email

  • Only use your work email when sharing sensitive data such as PHI;
  • Only share PHI via email when you have a business need to do so;
  • Only send PHI to secure email addresses such as IU, IUH or Eskenazi; or include Confidential or Secure Message in the subject line to “encrypt” the message; and
  • Only share the information necessary to meet your goal and meet the "Minimum Necessary" requirement.

Phishing Emails

  • IU and IUH have had employees who were victims of phishing emails.  These emails look very official as if they are from IU, IUH, the VA, etc.  The emails typically request you click on a link provided and then request information such as your user ID and password/passphrase.
  • IU, IUH, Eskenazi and the VA will never ask for your password/passphrase.  
  • DO NOT share your password/passphrase with anyone.

Minimum Necessary

  • Remember all request for, uses and disclosures of PHI with the exception of "treatment purposes" must comply with the "Minimum Necessary" standard.

Access to Information

  • Do not access any record without a business need to do so.
  • Do not access your own record, or records of family, friends, students and/or co-workers without a business need to do so.

Social Security Numbers (SSN)

  • Indiana University requires a documented business need to collect and store all nine (9) digits of an SSN.
  • When possible, only store the last four digits of the SSN.
  • If you do have a business need to store SSNs, you are required the apply the highest level of security.

Moving, Archiving or Destroying Records

  • The HIPAA Privacy Rule applies to protected health information in any form or medium including paper and electronic records as well as verbal communication.  When moving, purging, storing or destroying any records that are considered sensitive (restricted or critical), you must to do so in a secure manner. 
  • Keep track of your records!  Record information about any records sent offsite for storage or scanning:
    • Box records
    • Number the boxes
    • Record content information for each box including:
    • The type of data contained (e.g. SSNs, PHI, Student Data, credit card or account numbers);    
    • Names of individuals identified in the records (e.g. list of patients, list of students);
    • Create an inventory list by box numbers and description;
    • Verify all boxes reached their destination
    • If any boxes are missing:  1.  Report as an incident and 2. Investigate immediately!
  • Even "old" records containing sensitive data must be protected.
  • When in doubt always handle records as if they contain sensitive data - While purging old travel records, an office discovered patient information in the records.
  • If using an offsite storage company to store data protected under HIPAA, we must have a business associate agreement as required under the Privacy Rule.
  • NEVER DISCARD SENSITIVE DATA IN TRASH OR RECYCLE BINS!

Surplus

  • Empty all file cabinets and desk before sending to Surplus
  • Verify all storage equipment is empty, then double check!