Skip to main content

Human Research Data Protection Process

Scope: NHSR and Human Subjects Research

Overview

To facilitate faster approvals for data agreements and IRB protocols and to strengthen compliance for collecting and using data for research, WVU requires the Data Protection process for NHSR and projects as a requirement to submit an IRB protocol.

The Data Protection Request Form is required for all initial and new protocols - this includes expired protocols that are entered as new. The Data Protection Certificate serves as the PIs attestation regarding the location of the data during research and when research has concluded. The certificate should be kept with project/study records. Change to data sources, technology, etc. requires a new form to be submitted when the change occurs.

Although the primary process is the protection of the data while it is stored and managed at WVU, the process also provides notification to the offices responsible for other research compliance requirements:

  • HIPAA Privacy Review/Honest Broker Requirements for WVU Medical Records
  • WVU Medicine notification of technology to be used for research in the clinical environment
  • Notification for Data Agreements
  • Notification to for unapproved software requests
  • Notification to the Office of Export Control that the research may have international compliance requirements
  • Notification to the Office of Technology Transfer for IP concerns

Post-Submission

After you submit the form, you may receive:

  • Emails indicating subsequent required approvals
  • Follow-up emails requesting additional information

After approvals are complete, the submitter will be emailed a Data Protection Certificate within 3-5 business days. Some approvals are automatic depending on risk (non-covered entity medium and low-risk submissions). Data Protection Certificates are emailed within an hour of submission.

If the submitter is not the PI, the PI should request an electronic copy of the form from the submitter for record keeping.

How the Process Works

Researchers complete a Data Protection Form, depending on the request and risk related to the data, the submitter will receive a Data Protection Certificate in email after approvals are complete.

If the PI is not the submitter, the submitter should be provide the PI with the Data Protection Certificate.

Other approvals may be needed for data agreements, unapproved technology, technology services and non-standard data storage plans. These approvals may take 2 to 3 weeks, please plan accordingly.

The Data Protection Certificate will be sent when the data storage plan is approved to facilitate protocol submission, however, all approvals (data agreements, software, purchases) must be completed BEFORE research can begin. The responsibility for ensuring all needed approvals are provided by the University is the responsibility of the PI.

The process will provide researchers with:

  • The classification of risk for the data to be used and stored in support of the research
  • The approved storage plan(s) for the data
  • The approved technology products for research
  • The WVU approved participant payment methods
  • HIPAA approval and institutional review of requirements for WVU Health System data (medical records)

The process will automatically notify the correct departments for:

  • The Office of Export Control for requirements related to international research components
  • The Office of Sponsored Programs to begin the Data Use Agreement process
  • Other departments related to the approval of new technology, technology services, or participant payment methods

Changes to Approved Forms

If data requirements change after the DP Certificate is received, a new form must be submitted reflecting the change (research project personnel, data source, data variables). Research projects using high-risk data must report all changes in Research Personnel.

Only the submitter can change the form––if the submitter leaves the project, the PI will not be able to modify the form.


Risk Categories

Table outlining risk categories and data protection certificate information. 
Low-Risk Data Protection Certificates
Automatically emailed to the submitter within an hour if research is NOT in a WVU HIPAA Covered Entity Only applies to non-covered entities:
  • De-identified data (If the source is an EMR, WV CTSI must verify)
  • Data collected anonymously
  • Data from public sources
  • Data from sources with no identifiers
Medium-Risk Data Protection Certificates
Automatically emailed to the submitter within an hour IF standard storage plans can be used and if the research is NOT in a WVU HIPAA Covered Entity Applies to covered and non-covered entities:
  • Data that includes identifiers that are not considered HIPAA-PHI
  • Data from an EMR not verified by WV CTSI

If an approved storage plan cannot be used, additional steps and approvals are required, the Data Protection Certificate will be emailed after approval. Approvals could take 2-4 weeks, depending on the request.

High-Risk Data Protection Certificates (HIPAA-PHI/Sensitive Data)
NOT automatically emailed. May take 5-7 days for medical/ dental record access and storage plan review. Please plan accordingly. Applies to covered and non-covered entities:
  • Data that includes identifiers from WVU Health System medical/dental records (including Limited Data Sets and Coded Data)
  • Clinical  repositories
  • Sensitive data under WVU University policy.
Approvals may take 5-7 business days depending on the request. The WVCTSI Privacy Review is part of the review for requests for WVU Health System medical records. If an approved storage plan cannot be used, additional steps and approvals are required, the Data Protection Certificate will be emailed after approval. Approvals could take 2-4 weeks, depending on the request.