Abstract
This research bulletin describes a functional framework for higher education compliance with the HIPAA IT security final rule. The framework, which can be adapted for individual universities, includes an institutional plan, an organizational process, reporting and tracking mechanisms, and training. It is based on principles of leveraging the compliance process to create a more secure institution-wide IT environment.