Search within:

Identifiable Human Subject Research

Definition: A human subject is defined by federal regulations as a "living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information". Sensitive identifiable human subject research data must adhere to requirements that mandate that researchers protect the privacy of subjects and maintain confidentiality of human subject data.

Governing Authority: Federal Policy for the Protection of Human Subjects ("Common Rule")

Responsible Operating Unit: Office of Research Compliance

Examples: Identifiable information in the context of sensitive identifiable human subject research refers to information containing one or more data elements that can be combined with other reasonably available information to identify and individual (i. e. social security number and health care record). Personally identifiable data (PII) is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects.

Acceptable IT Services & Tools:

  • Qualtrics
  • REDCap inclduing MyCap
    • Note: To utilize the MyCap app with HIPAA Data you must first consult with the information security office.

Consultation Required:

  • NAS departmental shared storage ( - With OIT consultation to ensure data encryption.
  • NAS individual home storage ( - With OIT consultation to ensure data encryption.
  • OnBase - With OIT consultation.
  • OneDrive/O365 Groups - With OIT consultation and Group setup according to the Storing Sensitive Data within OneDrive Standard.

Not Permitted IT Services & Tools:

  • Blackboard
  • Adobe Creative Cloud
  • OneDrive/O365 individual accounts
  • PeopleSoft
  • Personal cloud storage accounts
  • Personal/Non-University owned devices

If you don't see the IT service or tool listed that you wish to use to store data classified as medium or high sensitivity, contact Information Security to determine if it's appropriate for your data type.