Indiana University

Compliance at Indiana University

HIPAA Privacy and Security

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the use and disclosure of individually identifiable information or protected health information (PHI) created or received by covered entities.

Indiana University (IU) is a covered entity that has chosen hybrid status, meaning it is a single legal entity with components that are covered and non-covered under HIPAA. The University HIPAA Privacy & Security Compliance Office has identified a number of HIPAA Affected Areas that must comply with HIPAA. HIPAA Affected Areas refer to those units at Indiana University that have access to PHI, as defined by HIPAA, because the unit is a covered healthcare component (healthcare provider or a health plan), provides services to covered components and as such receives PHI to perform those tasks, or uses PHI for education or research purposes.

Key Concepts:

HIPAA Affected Areas must safeguard PHI during storage, use and disclosure. These safeguards apply to the Privacy and Security of the data and must include:

  • Administrative Safeguards (e.g. policies, procedures, training, DUAs & BAAs) 
  • Physical Safeguards
  • Technical Safeguards

Patients have Rights to:

  • Notice of Privacy Practices (How their information may be used)
  • Inspect & copy PHI
  • Accounting of Disclosures (Record of disclosures of PHI for other than TPO & without their permission)
  • Request to Amend their record
  • Request for Confidential Communications
  • Request for Restrictions related to certain uses and disclosures
  • Give permission to allow certain uses and disclosures such as for research purposes
  • File a Complaint