HIPAA Privacy & Security

We at Indiana University are committed to providing quality healthcare, which includes respecting individuals’ rights and protecting the privacy and security of individually identifiable health information. The Health Insurance Portability and Accountability Act (HIPAA) provides standards for protecting patient health information.

If you are a consumer of one of our healthcare services and want to know how your medical information may be used and disclosed, see the Notices of Privacy Practices at the bottom of this page.

About HIPAA

Learn more about HIPAA on the UITS Knowledge Base.

HIPAA Affected Areas

Each HIPAA Affected Area at IU has a designated HIPAA Liaison.

Training & Education

Certain members of IU are required to obtain training related to the regulatory obligations of HIPAA.

Compliance Plan & Administrative Documents

Links to documents that support IU's commitment to compliance with HIPAA.

HIPAA Contacts

Mark Werling

Chief Privacy Officer
HIPAA Privacy Officer
mawerlin@iu.edu
317-274-3525

Mark is responsible for IU’s compliance with HIPAA, including the access, use, and disclosure of PHI. If you have questions or concerns about IU’s HIPAA policies and program, contact Mark.

Jason Bozarth

HIPAA Security Officer
bozarthj@iu.edu
317-274-4281

Jason is responsible for implementing, managing and enforcing information security directives mandated by HIPAA. If you have concerns about security measures protecting your HIPAA-related information, contact Jason.

For general inquiries about HIPAA, please email hipaa@iu.edu.

Report an incident

Contact the Privacy Office team

HIPAA and Research

The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.” The IU Human Research Protection Program (HRPP) Policy, Use of Protected Health Information (PHI) in Research, applies to human subjects research regulated under HIPAA. This policy also applies to the use of protected health information (PHI) for research that does not require IU IRB approval but for which the IU Privacy Board grants a waiver of authorization.

HRPP Policy - Use of PHI in Research

Learn more about IU Research subject to HIPAA

Secure Research Data

To reduce the burden of meeting cybersecurity and compliance requirements in grants, contracts, and data use agreements so that IU researchers can concentrate on conducting world-class research, IU offers the services of SecureMyResearch as a self-service resource or one-on-one consulting. For more information on how to secure your research data, contact SecureMyResearch.

Learn more about SecureMyResearch

Indiana University's Designation as a "Hybrid Covered Entity"

HIPAA applies to “Covered Entities” such as health care providers and health plans. Indiana University is a covered entity that has selected hybrid status, meaning it is a single legal entity with components that are covered and non-covered under HIPAA. Areas within IU that must comply with the HIPAA Privacy and Security Rules are known as IU HIPAA Covered Components.

Notice of Privacy Practices

HIPAA requires that health plans and covered healthcare providers develop and distribute a Notice of Privacy Practices (“Notice”) which describes the uses and disclosures of protected health information ("PHI"), an individual’s rights with regard to their own PHI, the covered entity's duties with regard to the individual’s PHI, the complaint process, contact information, and the effective date of the notice.

School of Dentistry

IU Student Health Center

School of Optometry