Search Information Security site

 

Data Protection Guidance for Health Research

DISCLAIMER: The tips listed below are meant to serve as guidance on complying with policy and are NOT intended to convey legal counsel.

One of the primary responsibilities of InfoSec's policy team is to assist researchers at UVA with ensuring the privacy and security of research data.  In meeting this goal, our University can conduct research in a compliant manner, and we can also continue to provide those we serve with the peace of mind that their identity and health information can be entrusted into our care.  Establishing this trust with subjects and patients requires vigilance and adhering to the best industry practices for information security.  Below are some tips to consider when planning out data collection for your research. 

General Rules Governing Data Protection at UVA

When conducting research at UVA, there are a few elements of the University's policies and standard that will apply to all of the data collection, storage, and transmission you perform in your role.  The most critical of these are listed below.

  • Research data that you generate in your role falls within the scope of University policy in terms of the protections that are required in handling it (see definition for "Data" in IRM-003: Data Protection policy).
  • The use of a cloud service to store research data is not acceptable unless the service has been contracted by the University which entails review and approval by Information Security.  This requirement ensures that the vendor is suitable for handling the data that they will receive and that the terms of the agreement provide sufficient protections.  Centrally managed resources that comply with these requirements can be found on ITS Web in the Software Gateway.  Health System employees can also review Online Account Request to find additional options
  • Devices used for research at the University must be in compliance with University policy, particularly the Security of Network-Connected Devices standard.

Highly Sensitive Data (HSD) vs. Moderately Sensitive Data (MSD)

Health information that can be associated with an individual subject or patient via a personal Identifier is regarded as highly sensitive data (HSD) under University policy.  This means that if you are collecting information about an individual’s health, and that information is being paired or stored with an identifier (e.g. name, SSN, email etc.), the information that you have collected must be given the highest standards of protection.  Storing HSD onto your laptop/desktop or removable storage (e.g. thumb drives, external hard drives) requires an approved exception request.  Storing HSD on UVA Box is not compliant with University policy.  InfoSec advises the following resources for collecting and storing HSD:

  • A secured resource such as one of the servers identified in 1B(4) of the Data Security Plan (e.g. Health System server, Qualtrics HSD, UVA Bioinformatics REDCap)
  • HSCS email account managed and maintained by UVA Health IT
  • A departmental data collection/storage solution that has been reviewed and approved by Information Security (email it-policy@virginia.edu to confirm approval)

Alternatively, if you are collecting health information but it is not identifable because it has been coded with Subject IDs or de-identified through aggregation, then the data set is moderately sensitive data (MSD) under University policy.  Unlike HSD, MSD can be compliantly stored on desktops/laptops, removable storage (e.g. thumb drives, external hard drives), and on UVA Box.  While there is more flexibility for storing MSD than storing HSD, you should still make every effort to limit access to the data to those with a need to see it.  

Questions or Concerns

Feel free to reach out to our team at it-policy@virginia.edu if you have any questions regarding this page or any other element of IT policy and compliance at UVA.  We recognize that managing compliance to institutional requirements can require a lot of time and attention, so we are ready and willing to make ourselves available to assist.

 

 

 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form