The Research Office provides the following guidance related to the data used, collected, or transmitted during the conduct of research at WVU.
Note that products used for data storage, transmission, collection are approved and provided by the WVU ITS departments. New products must be purchased and approved using the WVU standard process.
WVU policy related to information security, privacy and data classification. If additional information is needed, contact the WVU Information Security Office.
WVU Classifications for Identifiable Research Data
How identifiable research data is classified at WVU.
For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP.
A list of approved software for collecting identifiable research data directly from research participants. Identifiable means that the researcher knows the identity of the participant at the time the data was collected. Data can later be de-identified for publication and other purposes, however this is considered as Data Collection- Identifiable. Use of data collected by a secondary source is not considered data collection.
For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP.
Storage options for data classified as sensitive under WVU policy are listed below. If your research requires storage that is not listed here, please send an email to researchdataprotectionsupport@mail.wvu.edu.
- NIST 800-171: WVU will soon have approved cloud-based storage for NIST 800-171 data. Contact ResearchDataProtectionSupport@mail.wvu.edu.
- HIPAA Protection Health Information (PHI) - Storage Options are available from WVU Health Sciences ITS. HIPAA Identifiers
- Research Personally Identifiable Information (RPII) - Classified as confidential by the University - Storage options are available from WVU ITS. Research PII Identifiers
- Anonymous or data received as de-identified (the researcher will never know the identity of a participant)
For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP.
Depending on the type of research and the data requirements, a Data Use Agreement may be needed to transmit data in/out of the institution or share PHI (HIPAA) or other types of sensitive or identifiable data with other entities
For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP
Information about the WVU Research Data Protection Form. WVU provides this automated form to assist the researcher with the following steps in safeguarding the data during the conduct of Human Subjects Research and efficiently obtaining required approvals.
The automated form will:
- Classify the Identifiable Data According to University Policy
- Facilitate approvals for access to medical/dental records/PHI and approved storage
- Facilitate approval for storage plans (approved and unapproved)
- Facilitate review of international components, unapproved software, new technology
- Facilitate the review and approval of Data Use Agreements and other agreements by WVU OSP
You will receive a Data Protection Certificate within minutes for Low and Medium Risk Data or for high-risk data it may take 3-6 days for approvals to be complete to receive the Data Protection Certificate. Approvals for software, international components and data agreements will be completed separately and may take additional time depending on the request. We ask that you plan accordingly when beginning your project. The Data Protection Certificate must be attached to the INITIAL protocol submission for human subjects research. Approvals for software, participant payment methods, data agreements can be uploaded when received.
WVU Data and Information Security Policies
- BOG Governance Rule 1.11 - Information Technology Resources and Governance
- Information Security Policy
- Sensitive Data Policy (NIST, HIPAA-PHI)
- Sensitive Data Protection Standard
- HIPAA Hybrid Entity Designation Policy
- WVU Office of Human Subjects Research SOPs
Data Storage
Based on risk, the currently approved storage plans are:
Low Risk - WVU/HSC
The research does not include collecting, using, or transferring identifiable data. You may collect and/or store project data using the following technology solutions:
Approved Storage/Technology
- University network drive (HSC or WVU)
- University OneDrive or SharePoint
- MIX Google Drive
- University-owned device
- Personal device (Students only)
- Use of University Devices is required for employees.
- Students may use personal devices provided the device meets the requirements of the Bring Your Own Device Standard.
WVU Qualtrics, RedCAP, or HSC Qualtrics may be used for collection of information
Medium Risk - WVU
The research includes the collection or use of personally identifiable information by a WVU Non-Covered Entity (Defined as Research PII and considered CONFIDENTIAL according to WVU policy)
Approved Storage/Technology:
- University network drive (HSC or WVU) o Storage on Personal network drive (e.g., J:, N:, Y:)
- University OneDrive or SharePoint o University-owned device
- WVU Research Data Depot (minimal charge for use)
- Access to files must be limited to research project personnel only, with access regularly reviewed to remove personnel no longer on the project.
- Use of University Devices is required for employees.
- Students may use personal devices provided the device meets the requirements of the Bring Your Own Device Standard.
WVU Qualtrics, RedCAP, or HSC Qualtrics may be used for collection of information
High Risk - Sensitive Data (PHI)
The research includes the use or collection of HIPAA Protected Health Information
HSC ITS Approved Storage/Technology
HSC Plan A - WVU HSC Managed Network Server
- Encrypted secure file server location accessible on HSC internal network.
- Accessible onsite at HSC, and offsite via HSView to researchers with an HSC managed device offsite with HSC VPN and DLP.
- Student access available through Windows Terminal Server onsite or offsite.
Requirements
- WVU Login account.
- HSC managed encrypted desktop for faculty and staff.
- Windows Terminal Server for students.
- Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data.
HSC Plan B - HSC VDI
- Virtual desktop environment that has security controls in place to protect the movement of confidential, sensitive and/or PHI data.
- Isolated, secure network storage/processing environment for analyzing and data collection.
- Accessible onsite at HSC, and offsite via website.
- Currently offered software: Excel, SAS, JMP, R Studio (Is currently not compatible with SPSS).
- Students will use VDI for data collection and analysis.
- Faculty can use VDI for data collection and analysis or use Forcepoint Data Loss Protection (DLP) software to access secure network file storage environment. Forcepoint DLP software will permit faculty to utilize software installed on their local PC/Mac with needed controls for sensitive data.
Requirements
- WVU HSC Login account with MFA
- VDI is the required processing/storage location for any projects that contain DHHR/PEIA/WV Medicaid and Medicare data.
- VDI is the required storage location for student data collection and analysis.
- Forcepoint DLP software is an option for faculty needing to analyze sensitive data using locally installed PC/Mac software to access shared network file storage . This is accessible to VDI/Forcepoint DLP users. Faculty may be responsible for annual Forcepoint DLP license fee.
- Data that needs to be exported from the VDI environment must be de-identified and approved by the HSC Privacy and Security office.
HSC Plan C - WVCTSI RedCap Server
- Encrypted secure web and database server accessible on HSC internal network
- Survey access available for public collection
- Accessible onsite at HSC, and offsite via HSView to researchers with an HSC managed device offsite with HSC VPN and DLP
- External PIs and student access available through Windows Terminal Server onsite or offsite.
Requirements
- WVU Login account with MFA
- HSC managed encrypted desktop for faculty and staff.
- Windows Terminal Server for students.
- Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data.
HSC Plan D - Oncore / Advarra
Clinical Trial management system
Requirements
Requirements are based on CRU policies.
HSC Plan E - HSC Qualtrics
- Qualtrics is Health Information Trust Alliance (HITRUST) certified
- Encryption of data in transit and at rest (except for email messages)
- Offers survey security and sensitive data controls
- Accessible from an HSC managed device or HSView
Requirements
- Prior approval is required for each project before the WVU HSC HIPAA Qualtrics Brand may be used to create surveys for the collection of sensitive data. Approval from the Chair of the Department or Administrator of the unit is required.
- HIPAA data is only approved for storage in the WVU HSC HIPAA Qualtrics brand, not the WVU Qualtrics brand. Surveys that will collect health information may only be created in the WVU HSC HIPAA Compliant Qualtrics Brand and no other brand of Qualtrics.
- WVU Login account with MFA
- Users with access to the WVU HSC HIPAA Qualtrics Brand must only login from an HSC managed computer with DLP, or access via the HSC VDI environment (HSView)
- Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data
HSC Plan F - Sponsor's Database
Requirements
- Requirements are based on Sponsor’s regulations and compliance standards
- An agreement signed by the institution
HSC Plan G - HSC SharePoint
- HIPAA compliant framework is available for departments storing ePHI
- Includes additional controls such as restrictions on downloading data
- Data at rest (Bitlocker) and data in transit (TLS) used for encryption
- Includes Advanced Threat Protection (ATP) and Data Loss Prevention (DLP)
Requirements
- WVU Login Account integration with MFA
Pursuant to the Sensitive Data Protection Standard, Sensitive Data requires strict data protections. The use of unapproved technology solutions such as GoogleDrive, University OneDrive/SharePoint, Dropbox, SurveyMonkey, or Wufoo is not approved and should never be used to interact with study participants.