Indiana University

Compliance at Indiana University

HIPAA Privacy and Security

HIPAA Privacy and Security Reminders

Mobile Devices

  • Be aware if you use a Mobile Device (regardless of ownership) you may have to comply with IU's IT-12.1 - Mobile Device Security Standard
  • All mobile devices used to access IU critical data or any PHI must be encrypted and password/passphrase protected!


  • Only use your work email when sharing critical data such as PHI;
  • Only share PHI via email when you have a business need to do so;
  • Only send PHI to secure email addresses such as IU, IUH or Eskenazi; or Include Confidential or Secure Message in the subject line to “encrypt” the message; and
  • Only share the information necessary to meet your goal and meet the "minimum necessary" requirement.

Phishing Emails

  • Remember IU is a Hybrid Covered Entity under HIPAA and we are required to apply appropriate safeguards to protected health information (PHI) during its use or disclosure even when we have authorization to do so.
  • IU and IUH have had employees who were victims of phishing emails.  These emails look very official as if they are from IU, IUH, the VA, etc.  The emails typically request you click on the link provided and then request information such as your user ID and password/passphrase.
  • IU, IUH, Eskenazi and the VA will never ask for your password/passphrase.  
  • DO NOT share your password/passphrase to anyone

Minimum Necessary

  • Remember all request for, uses and disclosures of PHI with the exception of "for treatment purposes" must comply with the "Minimum Necessary" standard.

Access to Records

  • Do not access any record without a business need to do so
  • Do not access your own record, or records of family, friends and co-workers without a business need to do so

Social Security Numbers (SSN)

  • Indiana University requires a documented business need to collect and store all nine (9) digit of an SSN
  • When possible, only store the last four digits of the SSN
  • If you do have a business need, SSNs require the highest level of security

Moving, Archiving or Destroying Records

  • There is a lot of moving of offices, archiving of records or destruction of old records
  • Even "old" records containing critical data (e.g. PHI, SSN) must be protected
  • When in doubt always handle records as if they contain critical data
  • While purging old travel records, an office discovered patient information in the records