HIPAA

The University of Notre Dame has developed an information technology environment in order to support the needs of University of Notre Dame Research groups and personnel who store, analyze, and transmit protected health information (PHI).

Notre Dame offers a secure storage and computing environment Client Cloud Computing for PHI (C3PHI) which conforms to the Privacy Rule and the Safeguards Rule of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The environment is designed for research projects using electronic protected health information (ePHI).

Review of Requirements for PHI

Any intention to receive PHI for research purposes must be reviewed and approved by the University. If you need help or guidance associated with the use of PHI in research, your first step should be to contact Notre Dame Research Administration (NDRA) researchadmin@nd.edu. Please provide any draft Data Use Agreements associated with the use of these data for review and execution by NDRA. 

C3PHI Research Environment Setup

Once you have contacted NDRA and there is agreement between the PI and NDRA team that you will require a C3PHI environment, you should contact the Center for Research Computing (CRC) at crcsupport@nd.edu to initiate the process to design and deploy your customized environment. You will be asked to review the Base C3PHI System Specifications and complete the Project Intake Form. 

After completing the form, follow the C3PHI New Project Guide as you prepare your team to work in a secure, compliant environment. This guide contains required IT tasks such as: 

• Request NetIDs for University Affiliates
• Request a New C3PHI Project Data Access Group 
• Request a New C3PHI Folder and Assign a Group 
• FAQs on ServiceNow Management of Access Groups

The CRC will help you determine the specifications and requirements of your C3PHI environment as well as help to establish the associated costs. The following Base System Cost Estimate tool is also available as a resource.

Compliance Training

All researchers working with ePHI must complete online HIPAA training found at the ND Researcher Training page. This certification is valid for one year. For more information on completing the HIPAA training, view the HIPAA Training Guide.

Additionally, all researchers must complete the online training for Human Research. For more information, visit the Human Research page.

Roles and Responsibilities

Principal investigators should first review the roles outlined in the HIPAA Policy for Researchers. 

Transferring ePHI Data

Data is transferred on and off the C3PHI environment using LiquidFiles. Only data stewards can transfer ePHI data. For non-data files, larger projects may choose to use transfer agents. The data steward is responsible for both training and overseeing transfer agents.

• Training Guidelines for Transfer Agents 
• How to Request a File Transfer as a Researcher 
• How to Approve a File Transfer as a Data Steward or Transfer Agent