Medium-Risk Data Approved Technologies (Public)

Owned by Amanda Griffith
Last updated: Jan 27, 2023 by Cassandra Rinker
2 min read

 

Medium-Risk Data is identifiable data that is considered confidential including identifiable private information under federal regulations such as the Common Rule, or FERPA educational records. The WVU Research Office uses the term “Research Personally Identifiable Information (RPII)” to refer to identifiable data that is not covered under HIPAA or the WVU Sensitive Data Policy.

If a named University Health Care Component is using coded data from a WVU Health System medical record, the data needs to be secured as High-Risk data.

Important things to remember about Medium-Risk Data:

  • RPII may include health information; however, if the department collecting the information from a participant is NOT a University covered component (“University Health Care Component”) the information is classified as Medium-Risk Data and is not PHI subject to HIPAA.

  • Research Personally Identifiable Information may include sensitive topics such as gender, race, or sexual preference; however, such information is not identified as Sensitive Data by the Sensitive Data Policy and is therefore classified as Medium-Risk Data.

  • Use of decedent medical records over 50 years old are not subject to HIPAA compliance but must be secured as Medium-Risk Data.

  • Coded or anonymized data is always considered Medium-Risk data.

  • WVU phones and/or voicemail must never be forwarded to personal phones/cell phones.

  • Pursuant to the University Electronic Mail Policy, personal email must never be used to conduct University research.

  • Faculty and staff who are provided a University Device through their employment with WVU must use that device to conduct research; however, personal devices may be used by students for projects using Medium-Risk Data provided the device meets the Bring Your Own Device Standard.

  • The definitions of Data Collection, Data Sharing, Data Transmission, and Data Storage can be found on the Approved Technologies for Research main article.

Icon Key: Approved Not Permitted Not Applicable

PRODUCT/METHOD

DATA COLLECTION

DATA SHARING

DATA TRANSMISSION

DATA STORAGE

In person via paper

Secure Fax

Paper via mail (e.g., USPS, FedEx, UPS)

Personal email

Personal phone

Faculty/staff personal device

Student personal device

Jabber

WVU Telephone

WVU Voicemail

Microsoft Teams (chat, SharePoint, calling)

WVU O365 Email

Microsoft OneDrive/SharePoint

MIX Email

MIX Google Drive

MIX Google Forms

WVU Personal Network Drive (e.g., J:)

WVU Network Drive (Common or Secure)

Qualtrics

FaceTime

WVU Zoom^

LiquidFiles

eCampus#

CloudResearch*

Cint*

Prolific*

Mturk*

Jumo%

SAS%

SPSS%

NVivo%

Atlas%

TranscribeMe^

Rev.com^

Health Sciences Center-specific technologies

HSC O365 Email

HSC Teams Chat/SharePoint

HSC OneDrive

HSC SharePoint

HSC Qualtrics

REDCap

HSC Zoom^

HSC NextCloud

HSC Globus

HSC sFTP

SOLE#

HSC Secure Research Environment (HSC VDI, secure network drive with DLP)

HSC Network Drive

Forte (OnCore/eReg)

SOD patient access portal

^Product is approved to be used for transcription services.

#Product is only approved for collection of data from and sharing data with WVU students or faculty for academic purposes.

*Product is approved to collect data and pay human subject research participants. Additional approvals are required from WVU Procurement to use products for participant payment.

%Product is approved for data analytics use.

Applications/software (e.g., Skype, Box, Dropbox, Survey Monkey, and Wufoo) that have not been approved by the University should never be used to interact with patients/study participants. If a product is required for research and is not listed here, complete an IT Purchase Request. Review and approvals of such requests could cause delays. Please plan accordingly.