Guidance on Data Security for Boston University Medical Campus Researchers

February 2025 Issue

Author(s):

  • David Corbett, J.D., Information Security Compliance Manager and HIPAA Security Officer

PRINT

Purpose

The purpose of this guidance is to provide general considerations for Boston University Medical Campus (BUMC) researchers on managing data security in human subjects research studies reviewed and approved by the Boston Medical Center / Boston University Medical Campus Institutional Review Board (BMC/BUMC IRB).  BMC researchers should seek guidance from the BMC Research Technology Program.

 

Data Security Requirements

University Data is information generated by, owned by, or otherwise in the possession of Boston University that is related to the University’s activities, including research data.  University Research data is subject to BU’s Data Protection Standards.  Under the University’s Data Classification Policy, data are categorized as Public, Internal, Confidential or Restricted Use with varying standards for protection that must be applied.

 

What are my Responsibilities as a BUMC Researcher?

  • Researchers who collect or utilize research data are responsible for accessing, storing, transferring, and processing data on systems that have appropriate security measures for the classification of data being used.  

  • Researchers should itemize the kinds of data being collected and/or utilized as part of their research, and determine what level of security is needed for their data.

  • Researchers should consult with IS&T and/or their local IT support groups to determine the best way to access, store, and use their data, particularly for data categorized as Confidential or Restricted Use.

 

Examples of Research Data and Corresponding BU Data Classification

  • While most research data at BU are not subject to the HIPAA Privacy Rule, the HIPAA de-identification standard  (removal of 18 data elements – e.g., email addresses, phone numbers, dates of birth, dates of treatment, cities, zip codes, etc.) is still the gold standard. When data are de-identified in the manner of the HIPAA Privacy Rule, there are no specific requirements for platform-use at BU, as the data are categorized as Public.

  • Similarly under the HIPAA Privacy Rule are data that are considered Limited Data Sets; meaning, they contain protected health information* that excludes direct identifiers, effectively anonymizing data by limiting the elements to dates, cities and zip codes. When human subject health information is anonymized in the manner of the HIPAA Limited Data Set standard, the BU Shared Computing Cluster can be used, since the data is categorized as Confidential .

  • The research is health* related and includes some personally identifiable information such as email addresses, phone numbers, facial images in pictures/videos (even if there is no name associated with the image), etc. making the data categorized as Restricted Use.  At BU, several services are cleared for Restricted Use data, including the following:

    • BU Restricted Use network drive (nas-RU1 or BUMC Y Drive);

    • BU Office365 apps, such as SharePoint, OneDrive, Teams, and Bookings With Me;

    • BU REDCap advanced survey tool

    • BU Qualtrics survey tool

 

Considerations for IRB Applications

As part of the IRB’s role in protecting the rights and welfare of human subjects, researchers must identify which electronic platforms, data transfer methods, data/document storage plans, etc. are being proposed in the research. This information can be documented in the Confidentiality of the Data section of the IRB application. BU’s InfoSec has provided sample language that can be used in the Confidentiality of the Data section of the IRB application.

Researchers are encouraged to consult with IS&T on the use of third-party data collection, storage, or analysis applications proposed for their research. Providing the IRB with correspondence with BU IS&T verifying the appropriateness of novel or third-party applications can facilitate the IRB’s review of the Confidentiality of the Data plan.

 

FAQs Answered by BU’s Information Security

Data Storage & Security Questions

1.   I have completed my research study and need to save the data for 7 years. How do I do this?

The purpose of the 7-year retention requirement for research data is both to (1) comply with a federal requirement; and (2) enable the University to respond to litigation/legal/subpoena requests. As such, the data should be maintained at BU.  BU’s IS&T offers several storage options, including BU network drive. 

2.   I want to store my data on a password-protected computer that will be stored in a locked office, but someone mentioned BU requires encryption as well. Is that true?

Yes, the BU Data Protection Standards require encryption for all non-Public data, including Confidential and Restricted Use data, even when a computer or device is stored in a locked office. 

Generally, researchers should be using BU-managed computers that come with encryption, patch management, and advanced threat protection that will alert BU Information Security if an attack is suspected.  Students can use personal computers to work with anonymized data on the Shared Computing Cluster or another location, but data should never be stored on a personal computer. 

3.   When can I use BU Google Apps?

If the data is identifiable but not health-related (e.g., decision making, texts/day), BU Google Apps can be used. Also, if the data is anonymized and not considered a HIPAA Limited Data Set from a HIPAA Covered Entity, subject to a data use agreement (DUA), then BU Google Apps can be used.  For more information on DUAs, please contact BU’s Office of Industry Engagement.  

 

Data Transfer & Communications Questions

1.   As part of my field research, I am recording interviews using my cell phone and uploading to the BU networked shared drive. However, my collaborators do not have access to the BU networked shared drive and wish to text me audio recordings of interviews they have collected. Is there a better way to handle this?

Consult with IS&T for the latest recommendations, however, most recently they have recommended researchers use BU Office365 SharePoint or OneDrive folders for data transfer. The SharePoint or OneDrive folder can be shared with collaborators using their professional email account (personal addresses should not be used).  Collaborators can download the SharePoint, Teams, or OneDrive app to their phones. 

2.   What platforms can I use to share health-related* information?

To avoid study staff using their personal cell phones to call research participants, BU has several recommended options:

3.   What platforms can I use to send appointment updates and reminders with no disclosure of health-related information?

  • BU Microsoft Outlook can be used for scheduling and sending Teams and Zoom invites.

  • BU cell phones can be used by researchers who are not part of a BU HIPAA component to text appointment information and reminders.

  • Google Voice can be used by researchers who are not part of a BU HIPAA Component to send and receive text messages for scheduling and appointment reminders.  HIPAA Components cannot send text messages because cell phone carriers do not sign HIPAA Business Associate Agreements.  Cell phone carriers become a business associate when they store text messages, to or from patients.       

  • WhatsApp, Gmail Chat, or iMessage can be used for appointment setting or updating by researchers who are not part of at BU HIPAA Component, but cannot be used to request or send health-related information.WhatsApp is a Meta product; and while the messages are sent with encryption, Meta has access to information on phones that use their products. Companies such as Meta, Google, and Apple use and share information about their users. For this reason, a study should not require use of these apps unless the Consent outlines how data is collected and shared by the company with third party companies.

 

Questions on Consenting Participants Remotely

1.   Can I use BU REDCap for electronic consent that will contain questions about health-related matters?

2.   I would like to use Google Forms to consent participants, is that ok?

  • If you are not conducting health-related* research, Google Forms may be OK to use. However, if you are conducting health-related research, then we suggest using BU Adobe Sign or BU Microsoft Forms to share a Consent form.  Another Restricted Use/HIPAA compliant option is to collect participant consent using BU Qualtrics.

 

Contact Us and Additional Resources

Please use the below additional resources, or reach out to BUMC Information Security at bumcinfosec@bu.edu.

* Health-related information is very broad, including stress or anxiety related to school; but does not typically include social engagement, decision making, number of texts sent per day, or educational practices, strategies, or effectiveness.