Many vendors claim HIPAA compliance. Unfortunately, this does not mean that your use of the software or service satisfies HIPAA requirements. This only suggests that the vendor may have certain HIPAA safeguards in place. Additional due diligence is required to ensure institutional HIPAA compliance. The following requirements must be met: the vendor's HIPAA efforts are adequate to protect IU's PHI, and IU (including you) has in place the requisite complementary controls to ensure an end to end HIPAA compliant workflow.
Ensure that a software or service where PHI will be stored on a vendor system you are acquiring is approved for PHI
Email the IU HIPAA Privacy Officer to check if we have a BAA with the vendor Note: IU has BAAs with Microsoft, Amazon, and Google for Azure, AWS, and Google Cloud Platform (and many other vendors), but cloud services such as Box still need a BAA before IU can store any PHI with them.
Email securemyresearch@iu.edu and we will help you assess your workflow as you use the software/service and ensure it satisfies HIPAA requirements.
We want your feedback
Please email securemyresearch@iu.edu to report errors/omissions and send critiques, suggestions for improvements, new use cases/recipes, or any other positive or negative feedback you might have. It will be your contribution to the Cookbook and appreciated by all who use it.