1. Purpose
The policy and procedures for protecting research data and ensuring compliance with regulations such as HIPAA are outlined in this SOP.
2. Scope
This policy applies to all protocol submissions to the WVU OHRP and requests for Data Use Agreements related to human subject research conducted under the auspices of WVU.
3. Background
WVU uses an automated form with workflows to manage compliance, track, and approve researcher requests to use and store secondary data and to approve the storage for primary data. Based on the responses to questions on the form, the request and storage plan is reviewed by the appropriate ITS departments, and HIPAA requirements are determined based on the WVU HIPAA Hybrid policy. Additionally, notifications are sent to departments such as Export Control and Office of Sponsored Programs for advanced notice of research that may impact the departments.
4. Responsibility
- The PI is responsible for completing the process outlined in the Procedures section as the first step in a research project. (This process must be completed before submitting a protocol and before requesting a data agreement.
- The PI is responsible for understanding the data requirements, institutional policies, and regulatory requirements for the research project. For example, the type of data (PHI, PII, anonymous, deidentified), the risk related to the data, and the process for transmitting data into or outside the institution
- The WVU Information Technology Services departments are responsible for providing appropriate storage options and requirements and approvals for the research data and approving data protection as appropriate for the risk and regulatory requirements, including HIPAA.
- The WV CTSI is responsible for reviewing requests for institutional medical and dental records and biospecimen/data repository data, including a review for HIPAA compliance.
- The WVU Office of Sponsored Programs is responsible for ensuring regulatory and institutional compliance related to Data Agreements.
- The WVU IRBs are responsible for ensuring the WVU Research Data Protection process has been completed for each protocol submission. WVU IRB determinations regarding the Research Data Protection process are only applicable to federal regulations governing human subject research, HIPAA requirements, and institutional policies affecting the human subject research.
5. Procedures
- The WVU IRBs are responsible for ensuring the WVU Research Data Protection process has been completed for each protocol submission. WVU IRB determinations regarding the Research Data Protection process are only applicable to federal regulations governing human subject research, HIPAA requirements, and institutional policies affecting the human subject research.
- Risk related to the data and the type of data
- Storage requirements and next steps
- Additional compliance steps that may be required, such as a HIPAA Waiver of Authorization.
- A summary of the information the PI provided when completing the form for the research project records.
- Instructions for next steps if other approvals are needed for new software, hardware or participant payment systems.
- A formal record of PI attestation of the following:
- The information submitted regarding the data is accurate
- Compliance with the storage requirements
- Agreement to complete a new Data Protection form if a change in the data requirements occurs that will impact the risk assigned to the data or the data type. For example, the data will be transmitted outside of the institution; identifiers will be included, etc.
6. References
WVU Policies:
WVU HIPAA Hybrid Entity Designation
WVU Information Privacy Policy
WVU Sensitive Data Policy
WVU Data Retention and Destruction Policy
Federal Regulations:
HIPAA Safe Harbor
Health Insurance Portability and Accountability Act (HIPAA) of 1996
HHS HIPAA Privacy Rule (2000)
HHS HIPAA Security Rule (2003)
AAHRPP:
Element II.3.E
Element II.3.F