Approved Technologies for Research

Overview: 

The following is a list of approved technologies to use to collect, transmit, and store data for research projects depending on the sensitivity of the research data. The appropriate technology will depend on the classification of the data. If you are unsure about the classification of your data, complete this survey.

Note: Additional data protections may apply to a research project through language within contracts and agreements that supersede the information provided here. Even if using de-identified or non-Sensitive data, additional contractual restrictions may still apply (e.g., WV PEIA data or WV Medicaid / Medicare data) to your project. If your research project is subject to contractual data protections, WVU ITS/HSC ITS will work with you to ensure that you are using secure applications to protect your data appropriately.

ACTIVITY

PHI SUBJECT TO HIPAA

SENSITIVE DATA/ RESEARCH HEALTH INFORMATION

NON-SENSITIVE DATA

DATA DISTRIBUTION

Technologies to use when sending information or documents, such as informed consents, to study participants.

In person via paper

Yes

Yes

Yes

Secure WVU/HSC Fax

Yes

Yes

Yes

Paper via mail (e.g., USPS, FedEx, UPS)

Yes

Yes

Yes

WVU O365 Email, MIX Email

No

No

Yes

HSC O365 Email

No

No

Yes

Personal email

No

No

No

WVU telephone

Yes

Yes

Yes

Voicemail

No

No

Yes

HSC Qualtrics

Yes

Yes

Yes

WVU Qualtrics

No

No

Yes

REDCap

Yes

Yes

Yes

FaceTime

No

No

Yes

HSC Zoom

Yes

Yes

Yes

WVU Zoom

No

No

Yes

FileLocker

No

Yes

Yes

Adobe Sign

No No

Yes

HSC NextCloud

Yes Yes Yes

HSC sFTP

Yes Yes Yes

DATA Collection

Technologies to use when receiving information or documents, such as completed informed consents, from study participants.

In person via paper

Yes

Yes

Yes

Secure WVU/HSC Fax

Yes

Yes

Yes

Paper via mail (e.g., USPS, FedEx, UPS)

Yes

Yes

Yes

WVU O365 Email, MIX Email

No

No

Yes

HSC O365 Email

No

No

Yes

Personal Email

No

No

No

WVU Telephone

No Yes Yes

Voicemail

No No Yes

HSC Qualtrics

Yes

Yes

Yes

WVU Qualtrics

No

No

Yes

Facetime

No No No

HSC Zoom

Yes Yes Yes

WVU Zoom

No No Yes

REDCap

Yes

Yes

Yes

FileLocker

No

Yes

Yes

Adobe Sign

No No Yes

HSC NextCloud

Yes Yes Yes

HSC sFTP

Yes Yes Yes

DATA STORAGE

Technologies to use to store your electronic research data. Paper copies of data should be stored in a locked filing cabinet within a secure room.

HSC Secure Research Environment (HSC VDI, secure network drive with DLP)

Yes

Yes

Yes

WVU Network drive (Common or Secure)

No

Yes

Yes

HSC Network Drive

No

Yes

Yes

Microsoft online storage (e.g., OneDrive, SharePoint)

No

No

Yes

GoogleDrive

No

No

Yes

Oncore

Yes

Yes

Yes

SOD patient access portal

Yes

Yes

Yes

WVU Qualtrics  No No Yes
HSC Qualtrics  Yes Yes Yes
REDCap Yes Yes Yes

Important things to keep in mind:

  • Limited Data Sets are considered PHI and are subject to data protections under HIPAA.
  • Use of medical records of decedents over 50 years old is not subject to HIPAA compliance and not subject to specific data protections.
  • Sensitive PII includes Social Security number, driver’s license number, visa/passport, and biometric images.
  • Research Health Information is personally identifiable data collected through research projects but is not considered PHI. The difference between RHI and PHI is that PHI is associated with or derived from a healthcare service event conducted by a named University Health Care Component. Although RHI is not subject to the HIPAA Privacy and Security Rules, it is sensitive personal information that must be secured appropriately.
  • Pursuant to University Electronic Mail Policy, personal email must never be used to conduct University activities.
  • Pursuant to the University Acceptable Use of Technology Resources and Data Policy, de minimis use of personal devices is permitted to conduct University business; however, personal devices may not be used as the primary device used to conduct University activities. Additionally, the Sensitive Data Protection Standard strictly prohibits the use of personal devices to access or transmit Sensitive Data.
  • Voicemail should never be used to transmit or collect patient/participant consent if the information contains Sensitive Data that can specifically identify the person from the recording.
  • A Secure Fax means the receiving fax machine is in a secure location only accessible by authorized individuals, a cover sheet accompanies the transmission clearly indicating the recipient, and the recipient has been alerted to the transmission and is able to receive it.
  • Faxing or scanning documents to email is not permitted.
  • Skype, Box, Dropbox, Survey Monkey, and Wufoo are not approved University technologies and should never be used to interact with patients/study participants.

Details

Article ID: 111060
Created
Tue 6/30/20 12:28 PM
Modified
Wed 9/16/20 10:45 PM