Regulated Data: HIPAA and FISMA Compliance

Regulatory compliance is rapidly emerging as a major challenge for IT organizations with little or no prior experience with regulated data.   Environments such as high performance computing and university central IT are now facing both HIPAA and FISMA as protected health information (PHI) leaks out of academic healthcare settings and government contracts and grants begin to impose FISMA terms.   CACR specializes in cybersecurity and compliance in these environments.

Unique Expertise

CACR's expertise is derived from nearly a decade of experience tackling cyber compliance for the University Information Technology Services (UITS), IU's central IT organization.   UITS began facing regulated data in 2007 as rising storage, analysis, and management needs began to force biomedical researchers toward central systems.  Anticipating this appetite for capacity to escalate, IU made a decision to launch a significant effort to make its centrally provisioned research cyberinfrastructure HIPAA compliant.   This early and unique exposure to regulatory issues outside healthcare IT played a key role in the development and implementation of a standards-based cybersecurity Risk Management Framework (RMF).  CACR leverages this comprehensive, flexible, and reusable framework to tackle HIPAA and FISMA at IU.

Supporting Indiana University

IU has a substantial clinical footprint.  Its Schools of Medicine, Optometry, Nursing, Public Health, and Speech and Hearing comprise over 5000 faculty and staff.  Clinical researchers in these schools use a number of services provided by UITS.  CACR ensures that these services meet the HIPAA Security Rule requirements.   The NIST-based UITS RMF developed by CACR for HIPAA includes institutional governance, NIST 800-53 controls, risk assessment and response, awareness and training, and semi-annual reviews.  CACR leverages the RMF in a manner that not only serves UITS but also other IT units and research groups on campus.  As new systems are added, the UITS RMF expands, making compliance easier for subsequent systems.  CACR provides IU-customized documentation templates that accommodate both new UITS systems and departmental IT units and research groups that utilize these systems.  CACR also provides HIPAA assistance, consulting, and training to both UITS and the campus at large.

National Presence

CACR provides HIPAA and FISMA resources nationally and has assisted numerous research and academic institutions such as the University of Kentucky, University of Chicago, Ball State University, NCSA, NCAR, and more.  Other organizations that have leveraged CACR's HIPAA and FISMA expertise include the Coalition for Advanced Scientific Computation (CASC), where CACR played a key role in the formation of a Regulated Data Working Group to address the growing need for compliance, and the Central for Trustworthy Scientific Computing (CTSC), where CACR provides regulated data training to NSF-funded, large research facilities.  CACR is also a regular presence at conferences such as Internet2 Technology Exchange and the American Medical Center Conference on Privacy and Security where it covers HIPAA and FISMA compliance.

CACR's Regulated Data Resources

CACR  provides the following HIPAA and FISMA resources.  

Compliance Links




Please email