PHI must be appropriately protected during all research activities, including:
- Collection - Acquire data from clinical or field data collection processes, or from existing research data sources such as health record databases.
- Transmission - Move data from one place to another.
- Storage - Keep data on a system for a shorter (90 days) or longer period of time for analysis.
- Computation - Perform analysis on data with various software packages
- Archival - Store data and results after the study ends for policy compliance and research reproducibility.
For example, for a clinical study, you might collect and store data in OnCore, collect and store data via data collection forms and a patient registry in REDCap, compute data using statistical software on a HIPAA Compute Enclave to perform analysis, transmit intermediate results with colleagues using a Box Health Data Account, compute by making data analysis charts with Tableau, and archive the input data and results on the Scholarly Data Archive (SDA) to ensure research reproducibility.
The IU IRB must ensure protocols include adequate mechanisms for ensuring confidentiality of research data. IU and its affiliates have agreed that the following systems provide adequate provisions to protect confidentiality of research data. If research personnel will use only these systems to collect, transmit, store, compute, and archive research data, the IRB may find that adequate provisions exist to maintain confidentiality of data without additional information.
For more information about these services, contact:
- OCR: IU Office of Clinical Research firstname.lastname@example.org
- CAITS: Clinical Affairs IT Services email@example.com
- RT: UITS Research Technologies firstname.lastname@example.org
- UITS: University Information Technology Services email@example.com
If PHI is lost, stolen, or misdirected, institutional reporting requirements may apply. IU research personnel should review the IU Policy on Information and Information System Incident Reporting, Management, and Breach Notification. All other research personnel should refer to their own institutional policies or consult with their institutional privacy officer.