HIPAA Privacy & Security

HIPAA Contacts

Mark Werling

Chief Privacy Officer
HIPAA Privacy Officer


Mark is responsible for IU’s compliance with HIPAA, including the access, use, and disclosure of PHI. If you have questions or concerns about IU’s HIPAA policies and program, contact Mark.

Jason Bozarth

HIPAA Security Officer

Jason is responsible for implementing, managing and enforcing information security directives mandated by HIPAA. If you have concerns about security measures protecting your HIPAA-related information, contact Jason.

HIPAA and Research

The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.”  The IU Human Research Protection Program (HRPP) Policy, Use of Protected Health Information (PHI) in Research, applies to human subjects research regulated under HIPAA.  This policy also applies to the use of protected health information (PHI) for research that does not require IU IRB approval but for which the IU Privacy Board grants a waiver of authorization.

HRPP Policy - Use of PHI in Research

Learn more about IU Research subject to HIPAA

Secure Research Data

To reduce the burden of meeting cybersecurity and compliance requirements in grants, contracts, and data use agreements so that IU researchers can concentrate on conducting world-class research, IU offers the services of SecureMyResearch as a self-service resource or one-on-one consulting.  For more information on how to secure your research data, contact SecureMyResearch.  

Learn more about SecureMyResearch

Indiana University's Designation as a "Hybrid Covered Entity"

HIPAA applies to “Covered Entities” such as health care providers and health plans. Indiana University is a covered entity that has selected hybrid status, meaning it is a single legal entity with components that are covered and non-covered under HIPAA. Areas within IU that must comply with the HIPAA Privacy and Security Rules are known as IU HIPAA Covered Components.