HIPAA Compliance Documents

Compliance Plan & administrative documents

The goal of the Indiana University HIPAA Privacy & Security Compliance Plan is to provide a structure that promotes understanding and compliance with the HIPAA Privacy & Security Rules, related provisions of the HITECH Act, and applicable Indiana privacy and security laws.

Below you will find links to documents that support IU's committment to compliance with HIPAA.

View the HIPAA Privacy & Security Compliance Plan

View the Glossary of HIPAA Related Terms

HIPAA administrative requirements

The HIPAA Privacy Rule requires a covered entity to implement specific administrative requirements. These requirements include:

Designate a privacy and security officer
Hybrid covered entities must document designation - see the Designation Statement
Develop and make available policies and procedures

Privacy Policies, Procedures and Guidance

Indiana University has developed HIPAA Privacy policies, procedures and guidance documents as required under the HIPAA Privacy Rule.

Privacy Policies

HIPAA-P01: Uses & Disclosures of PHI

HIPAA-P02: Minimum Necessary

HIPAA-P03: HIPAA Authorizations

HIPAA-P04: HIPAA & Fundraising

HIPAA-P05: Individual Rights under HIPAA

HIPAA-P06: Use & Disclosure of De-Identified Data & Limited Data Sets

HIPAA-P07: Notice of Privacy Practices

HIPAA-P08: Removal & Transport of PHI and ePHI

HIPAA P09: HIPAA Education & Training Requirements

HIPAA-P10: Electronic Communication & PHI

HIPAA-P11: Retention & Destruction of PHI

HIPAA-P12: CMS DUAs & Data Management

Privacy Procedures

HIPAA-PR01: Patients Right to Access PHI

HIPAA-PR02: Patients Right to Confidential Communication - Healthcare Provider

HIPAA-PR03: Patients Right to Confidential Communication - Benefit Plans

Privacy Guidance Documents

HIPAA-G01: Sanctions

HIPAA-G02: Safeguarding Patients' Photographs & Recordings

HIPAA-G04: Limited Data Set & Data Use Agreements (DUAs)

HIPAA-G06: Business Associate Agreements

Security Policies and Standards

The HIPAA Security Rule requires IU implement Administrative, Physical and Technical Safeguards to protected electronic Protected Health Information (ePHI). IU addresses most of the requirements under the Rule through multiple University policies and standards. PHI is considered Critical Data at IU and must be protected with the highest level of security.

The HIPAA Security Rule Procedure identifies the specific requirements under the Rule and the corresponding university policies and/or standards. The IU policies and standards identified in the procedure are listed below.

HIPAA Security Rule Procedure:

HIPAA-SPR01

IU Policies and Standards in HIPAA-SPR01

DM-01: Management of Institutional Data

DM-01-S: Standards for the Management of Institutional Data

DM-02: Disclosing Institutional Information to a Third-Party

ISPP-26: Information and Information System Reporting, Management and Breach Notification

IT-01: Appropriate Use of Information Technology Resources

IT-02: Misuse and Abuse of Information Technology Resources

IT-03: Eligibility to Use Information Technology Resources

IT-07: Privacy of Electronic Information and Information Technology Resources

IT-12: Security of Information Technology Resources

IT12.1: Mobile Device Security Standard

IT-18: Computer and Network Accounts Administration

IT-28: Cyber Risk Mitigation Responsibilities