We recognize that organizations subject to HIPAA have a responsibility to protect their client’s health information and using any digital platform raises important questions about compliance. Safeguarding the privacy and security of personal health data is not just a legal obligation; it’s a core value we uphold.

This resource provides a clear overview of HIPAA: what it is, who it applies to, and what it requires. It also outlines how IRIS supports HIPAA compliance and offers additional best practices to help your organization maintain robust data privacy and security while using IRIS.

Defining Terms

What is HIPAA? 

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy and security of sensitive health information. If you’ve ever visited a doctor’s office or received care, you’ve likely seen HIPAA at work - it's what keeps your health information private and safe.

Who does HIPAA apply to?

HIPAA regulations apply to health care providers (e.g., doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.), health plans, and other providers who transmit health information in electronic form. These are referred to as Covered Entities (CE). CEs must comply with HIPAA’s privacy and security rule requirements for safeguarding protected health information.

What does it mean to be HIPAA-compliant?

HIPAA compliance means that organizations adhere to the standards set by HIPAA to protect client data. It requires Covered Entities to:

• Protect health information
• Limit uses and disclosures
• Grant individual rights
• Train employees
• Mitigate harmful effects

How is IRIS HIPPA-Compliant 

The IRIS Team, as part of the University of Kansas Center for Public Partnerships and Research (KU-CPPR) is committed to preventing, detecting, containing, and correcting security violations in the system through the creation, administration, and oversight of IRIS policies and procedures. IRIS complies with the HIPAA Security Rule through robust administrative, technical, and physical safeguards of the system.  The specific safeguards upheld by the IRIS Team are listed below.

1. Protect Health Information

• KU-CPPR prioritizes a culture of data security by enforcing regulations and expectations with staff and regularly reflects and trains on up-to-date mitigation tactics.
• KU-CPPR staff are required to delete all exported data containing PII that is unnecessary to analysis.
• IRIS communities are encouraged to configure referral fields to collect only essential information in order to limit the amount of sensitive information stored and shared in IRIS.

2. Limit Uses & Disclosures

• IRIS automatically deactivates users after 4 months of inactivity.
• IRIS supports role-based access. This means users are assigned to one or more of the following roles: User, Implementation User, Data Manager, System Manager, and System Administrator. For more information on these roles: (IRIS Roles).
• All users are required to sign data security & privacy agreements based on their level of data access.

3. Grant Individual Rights

• IRIS requires confirmation that client consent has been obtained prior to the creation of a Family Profile and prior to each referral sent on their behalf.
• KU-CPPR provides consent templates and best practices for IRIS Organizations who do not have established procedures.
• Families and individuals whose information has been put into IRIS have the right to obtain copies of their referral information and/or to have their information removed from the system. Communities must be ready to fulfill these requests.

4. Train Employees

• IRIS users are trained prior to gaining access to IRIS.
• System and Data Managers received specialized training related to data and PII management.
• IRIS users are not permitted to share log-in information.
• IRIS users should be cautious when uploading documents with sensitive information to IRIS (e.g., PII, ePHI).

5. Mitigate Harmful Effects

• KU-CPPR staff are required to report and document all incidents of data security violations.
• Internal and external audits are conducted based on HIPAA evaluation regulations.
• KU-CPPR conducts regular audits of technical monitoring logs.
• When required, IRIS enters into Business Associate Agreements (BAA) with Covered Entities that permits IRIS to receive PHI on its behalf, in order to help the CE carry out its functions. 

Additional Data Privacy Concerns Beyond HIPPA Requirements 

Occasionally, an organization participating in IRIS may follow internal policies or regulatory requirements that extend beyond standard HIPAA guidelines. These additional safeguards can affect the type and amount of client or referral information shared with partners.  To manage these differences effectively, organizations and their communities can develop adaptive workflows that align with their specific requirements. Below are a few examples of how this can be achieved.

Concealed Referral Outcomes 

Organizations can choose to complete all referrals with "other" to conceal the outcome of a referral. 

Concealed Family Name 

Organizations may establish an anonymous naming convention to protect a client's identity. For example, the family name may be written as the date of referral and client's initials (2.7.25 LM). In these instances, organizations may choose to create a new profile for each referral, so as not to connect previous referrals to the same person.

Concealed Date of Birth 

Organizations may use an anonymous date of birth. Organizations may choose the date of referral, or an arbitrary/impossible date of birth (e.g. 01/01/1910).

Concealed uploads (if applicable) 

Organizations may establish rules about how to conceal information related to document uploads. This may include striking client details similar to the processes above.