Skip to main content

WVU Research - Data Protection Certification

WVU Research Data Protection Process

To expedite approvals and to strengthen compliance for collecting and using data for research, WVU provides the Data Protection process for human subjects protocols (all protocol types). The form is a smart form and will notify other compliance departments based on your responses (data agreements, WVU medical record use, international components and unapproved software). The departments responsible for the compliance area will reach out to you if further action is needed (typically within 3-5 business days). 

Please note that while you may receive and approved data protection certificate, the research cannot begin until all approvals and agreements are complete. 

The Data Protection Request Form is required for ALL INITIAL and NEW Protocols - This includes expired protocols that are entered as new.

Submit a WVU Research - Data Protection Request Form

Modify a Submitted Data Protection Form

within minutes or emails indicated subsequent required approvals. Click here to view a SAMPLE DATA PROTECTION CERTIFICATE.  After approvals are complete, you will be emailed a Medium or High Risk Data Protection Certificate. 


How the process works:

Researchers complete a Data Protection Request Form (formally the Data Intake Form), depending on the request and risk related to the data, the submitter will receive a Data Protection Certificate within 30 minutes or within 5-7 days.  

Other approvals may be needed for data agreements, unapproved technology, technology services and non-standard data storage plans may take 2-3 weeks to be approved.  

The Data Protection Certificate will be sent when the data storage plan is approved to facilitate protocol submission, however all approvals must be completed BEFORE research can begin. The responsibility for ensuring all needed approvals are provided by the University is the responsibility of the PI. 

Additionally, the Data Protection Form provides preliminary guidance related to HIPAA waiver applicability but the WVU IRB makes the final determination as WVU's HIPAA privacy board. 


Risk
Approval Time
Data Description

LOW RISK
DP Certificates 

Automatically emailed to the submitter within 15 minutes.
Applies to:
  • De-identified data where the source is not a WVU HS medical record 
  • Data collected anonymously
  • Data from public sources
  • Data from sources with no identifiers.  
Click here for a list of identifiers .
MEDIUM and HIGH RISK
DP Certificates


Automatically emailed to the submitter within 15 minutes IF standard storage plans can be used.
Applies to:  
  • Data that includes identifiers that are not considered HIPAA-PHI
  • De-identified/Coded data from a WVU Health System Medical Record 
Click here for a list of identifiers

If an approved storage plan can NOT be used, additional steps and approvals are required, the Data Protection Certificate will be emailed after approval. Approvals could take 2-4 weeks depending on the request.

HIGH RISK
DP Certificates
(HIPAA- PHI/Sensitive Data)

NOT Automatically emailed within minutes.  (5-7) Days for medical/dental record access and storage plan review) 
Applies to:
  • Data that includes identifiers from WVU Health System  medical/dental records (including Limited Data Sets)
  • HSC repositories 
  • Sensitive data under WVU University policy.

Approvals may take 5-7  business days depending on the request. The WV CTSI Privacy Review is part of the review for requests for WVU HS medical records. 

If an approved storage plan can NOT be used, additional steps and approvals are required, the Data Protection Certificate will be emailed after approval. Approvals could take 2-4 weeks depending on the request.

 
The process will provide researchers with:
  • The classification of risk for the data to be used and stored in support of the research
  • The WVU ITS/WVU-HSC ITS approved storage plan(s) for the data
  • The WVU ITS/WVU-HSC ITS approved technology products for research
  • The WVU approved participant payment methods
  • HIPAA approval and institutional review of requirements for WVU Health System data (medical records)
The process will automatically notify the correct departments for:
  • The Office of Export Control for requirements related to international research components
  • The Office of Sponsored Programs to begin the Data Use Agreement process
  • Other departments related to the approval of new technology, technology services, or participant payment methods

Changes to Approved Forms:

If data requirements change after the DP Certificate is received, a new form must be submitted reflecting the change (research project personnel, data source, data variables). Research projects using High Risk data must report all changes in Research Personnel.  Click on the link above for instructions on how to easily submit a change.