Reporting Suspected HIPAA Data Exposures

Protected health information

Exposures of protected health information (PHI) can vary depending on the circumstances, types, and amount of data involved. It is essential that any suspected or known inappropriate access, use, disclosure, or compromise PHI is immediately reported using each of the following methods:

• Call UIPO/UISO directly at 812-855-UISO (8476) (business hours);
• Email it-incident@iu.edu outlining the incident details; and
• Notify the HIPAA Privacy Officer at 812-856-0340.

Reports of HIPAA related incidents may also be made anonymously through the confidential hotline at 888-236-7542.

The incident response team works closely with the HIPAA Privacy and Security Officers to determine whether a breach has occurred and what actions need to be taken, if any. If a breach has occurred, IU has a limited timeframe to determine reporting requirements which may include a report to the Department of Health and Human Services’ Office for Civil Rights (OCR), the affected individuals, and potentially the media.

Suspected HIPAA Breach

Time is of the essence. If you suspect that there is a breach of HIPAA information, or if you manage a machine hosting PHI that may be compromised, see Reporting Suspected Sensitive Data Exposures for how to quickly notify the UIPO/UISO.