Skip to main content
  • Home
  • Regulations and Policies

Regulations and Policies

Federal Regulations

Table of federal data security and protection regulations. 
Policy Description
HIPAA Privacy Rule
  • Conditions under which protected health information may be used or disclosed by covered entities for research purposes
  • Defines informed consent for research
Common Rule (45 CFR Part 46, Subpart A)
  • Compliance by research institutions
  • Researchers' obtaining, waiving, and documenting informed consent
  • Institutional Review Board (IRB) membership, function, operations, review of research, and record keeping.
FDA (21 CFR Parts 50 and 56) Federal laws and regulations pertaining to food and drugs, both legal pharmaceuticals and illegal drugs.
NIST SP 800-171 Confidentiality of Controlled Unclassified Information (CUI) for non-federal systems and organizations.
Department of Defense Cybersecurity Maturity Model Certification (CMMC) A verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI).
Defense Federal Acquisition Regulation Supplement (DFARS) Department of Defense (DoD) cybersecurity regulations regarding external contractors and suppliers.
International Traffic in Arms Regulation (ITAR) Export and import of items and data related to defense articles.
Dept of Commerce Export Administration Regulation (EAR) Export of "dual-use" items including goods and related technology, technical data and assistance designed for commercial purposes but could have military applications.
Treasury Dept Office of Foreign Assets controls (OFAC) Economic and trade sanctions based on US foreign policy and national security goals.
European General Data Protection Regulation (GDPR) Legislation that updated and unified data privacy laws across the European Union (EU). GDPR was approved by the European Parliament on April 14, 2016 and went into effect on May 25, 2018.

Institutional Policy

Table of WVU institutional policies for data security and protection. 
Policy Description
WVU Acceptable Use Policy Rules that govern the use of the devices and information systems at West Virginia University, West Virginia Institute of Technology, and Potomac State College of West Virginia University (“University Technology Resources”) to ensure both the protection of University Data and compliance with University policies and applicable laws and regulations.
WVU Information Security Policy Safeguarding hardware, software, and information systems utilized at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Technology Resources”) to ensure the Confidentiality and Integrity of University Data.
WVU Sensitive Data Policy Classification and security of data collected, generated, used, or stored by or on behalf of West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Data”).
WVU Data Retention Policy Systematic review, retention, and destruction of Records received or created at West Virginia University, including West Virginia University Institute of Technology and Potomac State College of West Virginia University (collectively the “University”).
Data Destruction & Sanitation Policy Establishes the minimum sanitization requirements pertaining to data, storage media, and/or device(s). This Standard is based on NIST 800-88: Guidelines for Media Sanitization.
WVU Procurement Processes and services for the purchases of research related technologies; includes information security reviews.

Research Standard Operating Procedures

Table of WVU Research SOPs related to data security, protection, and privacy. 
Policy Description
RDM SOP 001 Research Data Management and Protection at WVU
RDM SOP 002 Use of WVU Health System Medical/Dental Records 
RDM SOP 003 Human Research Data Protection 
RDM SOP 004 Audit and Oversight of NIH Data Management and Sharing Plans 
RDM SOP 005 Research Data and Technology Risk Management
RDM SOP 006 Research Data Risk Categories 
  • (SOP 012) Informed Consent
  • (SOP 035) Onsite Tissue or Data Repository
  • (SOP 038) Research Data Retention and Destruction
WVU Human Subject Data Protection Process
  • Collecting and using data for research
  • Ensures approved storage and technologies are used for human subjects research 
  • notifies OSP, Export Control, Technology Transfer, Procurement, Information Security, and others, that approvals may be needed for data transfer/share or unapproved software and hardware for research
  • REDCap access
  • IDR Access
  • Database Accounts
  • iLab
  • Delivery of Requested Patient Data