Skip to main content
West Virginia University Office of Human Research Protections
WVU Research Office
  • Home
  • SOP 036: Research Data Protection and HIPAA

SOP 036: Research Data Protection and HIPAA

Document Version # Effective Date
SOP-036 1.0 12/20/2021

1. Purpose

The policy and procedures for protecting research data and ensuring compliance with regulations such as HIPAA are outlined in this SOP.

2. Scope

This policy applies to all protocol submissions to the WVU OHRP and requests for Data Use Agreements related to human subject research conducted under the auspices of WVU.

3. Background

WVU uses an automated form with workflows to manage compliance, track, and approve researcher requests to use and store secondary data and to approve the storage for primary data. Based on the responses to questions on the form, the request and storage plan is reviewed by the appropriate ITS departments, and HIPAA requirements are determined based on the WVU HIPAA Hybrid policy. Additionally, notifications are sent to departments such as Export Control and Office of Sponsored Programs for advanced notice of research that may impact the departments.

4. Responsibility

  • The PI is responsible for completing the process outlined in the Procedures section as the first step in a research project. (This process must be completed before submitting a protocol and before requesting a data agreement.
  • The PI is responsible for understanding the data requirements, institutional policies, and regulatory requirements for the research project. For example, the type of data (PHI, PII, anonymous, deidentified), the risk related to the data, and the process for transmitting data into or outside the institution
  • The WVU Information Technology Services departments are responsible for providing appropriate storage options and requirements and approvals for the research data and approving data protection as appropriate for the risk and regulatory requirements, including HIPAA.
  • The WV CTSI is responsible for reviewing requests for institutional medical and dental records and biospecimen/data repository data, including a review for HIPAA compliance.
  • The WVU Office of Sponsored Programs is responsible for ensuring regulatory and institutional compliance related to Data Agreements.
  • The WVU IRBs are responsible for ensuring the WVU Research Data Protection process has been completed for each protocol submission. WVU IRB determinations regarding the Research Data Protection process are only applicable to federal regulations governing human subject research, HIPAA requirements, and institutional policies affecting the human subject research.

5. Procedures

  • The WVU IRBs are responsible for ensuring the WVU Research Data Protection process has been completed for each protocol submission. WVU IRB determinations regarding the Research Data Protection process are only applicable to federal regulations governing human subject research, HIPAA requirements, and institutional policies affecting the human subject research.
  1. Risk related to the data and the type of data
  2. Storage requirements and next steps
  3. Additional compliance steps that may be required, such as a HIPAA Waiver of Authorization.
  4. A summary of the information the PI provided when completing the form for the research project records.
  5. Instructions for next steps if other approvals are needed for new software, hardware or participant payment systems.
  6. A formal record of PI attestation of the following:
    1. The information submitted regarding the data is accurate
    2. Compliance with the storage requirements
    3. Agreement to complete a new Data Protection form if a change in the data requirements occurs that will impact the risk assigned to the data or the data type. For example, the data will be transmitted outside of the institution; identifiers will be included, etc.
  • The PI attaches the Data Protection Certificate to the protocol submission using the automated protocol submission system.
  • The completed form is stored in a WVU electronic system and can be referenced by the number automatically assigned and printed on the Data Protection Certificate.
  • The WVU OHRP IRB staff reviews the submission to ensure that the Data Protection Certificate is attached and if the Data Protection Certificate indicates other agreements or forms are needed, the WVU OHRP staff ensures that the materials are received before the protocol can be acknowledged or approved by the WVU IRB.
  • The WVU IRB (the HIPAA Privacy Board for WVU) reviews and considers the information within the Data Protection Certificate submitted as part of the research protocol. WVU IRB ensures that privacy and confidentiality of the data being collected, utilized, and/or shared as part of the research is consistent with federal regulations governing human subject research, HIPAA requirements, and institutional policies affecting the research, as applicable.
  • The Data Protection Certificate and other required agreements and forms such as the HIPAA Waiver of Authorization, are stored in the automated protocol submission system.

    6. References

    WVU Policies:
    WVU HIPAA Hybrid Entity Designation
    WVU Information Privacy Policy
    WVU Sensitive Data Policy
    WVU Data Retention and Destruction Policy

    Federal Regulations:
    HIPAA Safe Harbor
    Health Insurance Portability and Accountability Act (HIPAA) of 1996
    HHS HIPAA Privacy Rule (2000)
    HHS HIPAA Security Rule (2003)

    AAHRPP:
    Element II.3.E
    Element II.3.F