OCR Update

SEPTEMBER 2021

Information Technology Risk Assessment

In today’s technology-driven world, healthcare institutions find themselves at increased risk for cyber-attacks. The protection of patient information is a priority of IU Health, especially in the field of research. The HIPAA Security rule sets national standards to protect the electronic personal health information of individuals that is created, received, used, or maintained by a covered entity. Current IU Health policy requires a risk assessment be performed for any third-party vendor solution.

The assessment will identify areas of risk and receive vendor confirmation that IS standards and policies are followed. A few examples of scenarios that would require an assessment:

      • Studies using phone applications for subjects or researchers
      • Web-based platforms outside of a typical electronic data capture (EDC) system that exchange electronic protected health information
      • Sponsor-provided iPad or other devices that connect to the IU Health network

If you need an ITRA or are unsure if an ITRA is required for a solution, please email ITRA@iuhealth.org