Skip to main content

Research Data

RESEARCH DATA

The Research Office provides the following guidance related to the data used, collected, or transmitted during the conduct of research at WVU. Note that products used for data storage, transmission, collection are approved and provided by the WVU and WVU HSC ITS departments. New products must be purchased and approved using the WVU standard process.


WVU Policy

Click the button above for links to WVU policy related to information security, privacy and data classification. If additional information is needed, contact the WVU Information Security Office.


WVU Classifications for Identifiable Research Data

Click the button above for information how identifiable research data is classified at WVU. 

For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP.


Data Collection

Click the button above for a list of approved software for collecting identifiable research data directly from research participants. Identifiable means that the researcher knows the identity of the participant at the time the data was collected. Data can later be de-identified for publication and other purposes, however this is considered as Data Collection- Identifiable. Use of data collected by a secondary source is not considered data collection. 

For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP.


Data Storage

Click the button above for storage options for data classified as sensitive under WVU policy are listed below. If your research requires storage that is not listed here, please send an email to researchdataprotectionsupport@mail.wvu.edu.

For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP.
Data Agreements

Depending on the type of research and the data requirements, a Data Use Agreement may be needed to transmit data in/out of the institution or share PHI (HIPAA) or other types of sensitive or identifiable data with other entities

For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP
Data Protection Request Form

Click the button above to review information about the WVU Research Data Protection Form. WVU provides this automated form to assist the researcher with the following steps in safeguarding the data during the conduct of Human Subjects Research and efficiently obtaining required approvals. 

The automated form will:

  • Classify the Identifiable Data According to University Policy
  • Facilitate approvals for access to medical/dental records/PHI and approved storage
  • Facilitate approval for storage plans (approved and unapproved)
  • Facilitate review of international components, unapproved software, new technology
  • Facilitate the review and approval of Data Use Agreements and other agreements by WVU OSP
You will receive a Data Protection Certificate within minutes for Low and Medium Risk Data or for high-risk data it may take 3-6 days for approvals to be complete to receive the Data Protection Certificate.  Approvals for software, international components and data agreements will be completed separately and may take additional time depending on the request.  We ask that you plan accordingly when beginning your project.  The Data Protection Certificate must be attached to the INITIAL protocol submission for human subjects research. Approvals for software, participant payment methods, data agreements can be uploaded when received. 

WVU Data and Information Security Policies

BOG Governance Rule 1.11 - Information Technology Resources and Governance

Information Security Policy

Sensitive Data Policy (NIST, HIPAA-PHI)

Sensitive Data Protection Standard

HIPAA Hybrid Entity Designation Policy

WVU Office of Human Subjects Research SOPs


Data Storage

Based on risk, the currently approved storage plans are provided below:

Low Risk

The research does not include collecting, using, or transferring identifiable data. You may collect and/or store project data using the following technology solutions:

Approved Storage/Technology:

  • University network drive (HSC or WVU)
  • University OneDrive or SharePoint
  • MIX Google Drive
  • University-owned device
  • Personal device (Students only)
  • U se of University Devices is required for employees.
  • Students may use personal devices provided the device meets the requirements of the Bring Your Own Device Standard.

WVU Qualtrics, RedCAP, or HSC Qualtrics may be used for collection of information

Medium Risk

The research includes the collection or use of personally identifiable information by a WVU Non-Covered Entity (Defined as Research PII and considered CONFIDENTIAL according to WVU policy)

Approved Storage/Technology: 
  • University network drive (HSC or WVU) o Storage on Personal network drive (e.g., J:, N:, Y:)
  • University OneDrive or SharePoint o University-owned device
  • WVU Research Data Depot (minimal charge for use)
  • Access to files must be limited to research project personnel only, with access regularly reviewed to remove personnel no longer on the project.
  • Use of University Devices is required for employees.
  • Students may use personal devices provided the device meets the requirements of the Bring Your Own Device Standard.

WVU Qualtrics, RedCAP, or HSC Qualtrics may be used for collection of information 

High Risk - Sensitive Data PHI

The research includes the use or collection of HIPAA Protected Health Information
HSC ITS Approved Storage/Technology:

HSC Plan A - WVU HSC Managed Network Server

  • Encrypted secure file server location accessible on HSC internal network.
  • Accessible onsite at HSC, and offsite via HSView to researchers with an HSC managed device offsite with HSC VPN and DLP.
  • Student access available through Windows Terminal Server onsite or offsite.

This solution requires the following:

  • WVU Login account.
  • HSC managed encrypted desktop for faculty and staff.
  • Windows Terminal Server for students.
  • Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data.


HSC Plan B - HSC VDI

  • Virtual desktop environment that has security controls in place to protect the movement of confidential, sensitive and/or PHI data. 
  • Isolated, secure network storage/processing environment for analyzing and data collection. 
  • Accessible onsite at HSC, and offsite via website.
  • Currently offered software: Excel, SAS, JMP, R Studio (Is currently not compatible with SPSS).
  • Students will use VDI for data collection and analysis.
  • Faculty can use VDI for data collection and analysis or use Forcepoint Data Loss Protection (DLP) software to access secure network file storage environment. Forcepoint DLP software will permit faculty to utilize software installed on their local PC/Mac with needed controls for sensitive data.

This solution requires the following:

  • WVU HSC Login account with MFA
  • VDI is the required processing/storage location for any projects that contain DHHR/PEIA/WV Medicaid and Medicare data.
  • VDI is the required storage location for student data collection and analysis.
  • Forcepoint DLP software is an option for faculty needing to analyze sensitive data using locally installed PC/Mac software to access shared network file storage . This is accessible to VDI/Forcepoint DLP users. Faculty may be responsible for annual Forcepoint DLP license fee.    
  • Data that needs to be exported from the VDI environment must be de-identified and approved by the HSC Privacy and Security office.


HSC Plan C - WVCTSI RedCap Server

  • Encrypted secure web and database server accessible on HSC internal network
  • Survey access available for public collection
  • Accessible onsite at HSC, and offsite via HSView to researchers with an HSC managed device offsite with HSC VPN and DLP
  • External PIs and student access available through Windows Terminal Server onsite or offsite.

This solution requires the following:

  • WVU Login account with MFA
  • HSC managed encrypted desktop for faculty and staff.
  • Windows Terminal Server for students.
  • Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data.


HSC Plan D - Oncore / Advarra

Clinical Trial management system


This solution requires the following:

Requirements are based on CRU policies.


HSC Plan E - HSC Qualtrics

  • Qualtrics is Health Information Trust Alliance (HITRUST) certified
  • Encryption of data in transit and at rest (except for email messages)
  • Offers survey security and sensitive data controls
  • Accessible from an HSC managed device or HSView


The solution requires the following:

  • Prior approval is required for each project before the WVU HSC HIPAA Qualtrics Brand may be used to create surveys for the collection of sensitive data. Approval from the Chair of the Department or Administrator of the unit is required.
  • HIPAA data is only approved for storage in the WVU HSC HIPAA Qualtrics brand, not the WVU Qualtrics brand. Surveys that will collect health information may only be created in the WVU HSC HIPAA Compliant Qualtrics Brand and no other brand of Qualtrics.
  • WVU Login account with MFA
  • Users with access to the WVU HSC HIPAA Qualtrics Brand must only login from an HSC managed computer with DLP, or access via the HSC VDI environment (HSView)
  • Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data


HSC Plan F - Sponsor's Database


This solution requires the following:

  • Requirements are based on Sponsor’s regulations and compliance standards
  • BAA for data with HIPAA compliance requirements


HSC Plan G - HSC SharePoint

  • HIPAA compliant framework is available for departments storing ePHI
  • Includes additional controls such as restrictions on downloading data
  • Data at rest (Bitlocker) and data in transit (TLS) used for encryption
  • Includes Advanced Threat Protection (ATP) and Data Loss Prevention (DLP)

 

Requirements:

  • WVU Login Account integration with MFA


High Risk - Sensitive Data Non-PHI 

Your project includes high risk data and/or data classified as  Sensitive by University policy. You must use the following technology solutions.

WVU ITS Approved Storage/Technology:

  • Data must be stored on a WVU or HSC network drive only.
  • Access to files must be limited to research project personnel only, with access regularly reviewed to remove personnel no longer on the project.
  • Access data with a University device ONLY. Storage of sensitive data is not permitted on the device. Use of personal devices is strictly prohibited.
  • RedCAP or HSC Qualtrics may be used to collect information and/or for electronic informed consent.



Pursuant to the Sensitive Data Protection Standard, Sensitive Data requires strict data protections. The use of unapproved technology solutions such as GoogleDrive, University OneDrive/SharePoint, Dropbox, SurveyMonkey, or Wufoo is not approved and should never be used to interact with study participants.