Research Protocol Confidentiality Section
Paper documents – Information collected on paper, such as screening information, is stored in a locked file cabinet that only the research team has access to.
Electronic Data – The following sections identify what services are appropriate for each data classification. Generally, research teams will store identifiable health information and any codes (matrix of research subjects and their assigned Subject ID) in Restricted Use services and process anonymized data (e.g., Confidential HIPAA Limited Data Set) on a powerful BU managed computer or the MGHPCC Shared Computing Cluster. Data classified as Confidential must be processed on SCC4; SCC1-3 can be used for data classified as Internal or Public.
Restricted Use
Restricted Use
- Data
-
HIPAA or personally identifiable health information used in research, such as Human Subjects Data
- financial/PII, such as SSN, driver license #, checking account # or debit/credit card # (even w/o pin)
- Services
- BU Office365 apps, such as SharePoint, OneDrive, Teams, PowerBI
- BU REDCap or Qualtrics
- BU Zoom or Zoom meetings for HIPAA Components
- BU Restricted Use network drive (BUMC Y Drive)
- BU Restricted Use Premium Secure Server*
- BU Restricted Use Service
- Devices
- BU Managed device with current OS: Windows 10 and encryption enabled
- Send email to bumchelp@bu.edu to confirm all devices comply with the BU Secure End Point Standard
Confidential (HIPAA Limited Data Set)
Confidential (HIPAA Limited Data Set)
- Data
- Services
- All services listed above in Restricted Use
- MGHPCC Shared Computing Cluster 4 (SCC4)
- BU network drive
- Devices
- BU Managed device with current OS: Windows 10 and encryption enabled
- Send email to bumchelp@bu.edu to confirm all devices comply with the BU Secure End Point Standard
Confidential
Confidential
- Data
- FERPA
- Human subject data that is not health related (e.g., texts/day), and not provided by a HIPAA Entity – such as BMC or another hospital
-
Human Subject health data with identifiers limited to dates, city, and Zip Code, and not provided by a HIPAA Entity – such as BMC or another hospital
- Services
- All services listed above in Confidential (HIPAA Limited Data Set)
- BU Google apps (Drive, Sheets)
- Devices
- BU Managed device with current OS: Windows 10 and encryption enabled
- Send email to bumchelp@bu.edu to confirm all devices comply with the BU Secure End Point Standard
Internal
Internal
- Data
- Services
- All services listed above in Confidential
- MGHPCC Shared Computing Cluster 1, 2, or 3 (SCC1-3)
- New England Research Cloud
- Devices
- BU Managed device with current OS: Windows 10 and encryption enabled
- Send email to bumchelp@bu.edu to confirm all devices comply with the BU Secure End Point Standard
Public
Public
- Data
- Completely de-identified HIPAA data (e.g., no email, phone number, Zip Code, or dates of birth/death or treatment). See HIPAA Standard
- Data already in the public domain, that does not require protection
- Services
- All services listed above in Internal
- Devices
- No requirements for devices
