Search within:

Sensitive Identifiable Human Subject Research

Definition: A human subject is defined by federal regulations as a "living individual about whom an investigator (whether professional or student) conducting research obtains:

(1) data through intervention or interaction with the individual, or

(2) identifiable private information."

Identifiable private information, also known as personally identifiable information (PII), is considered sensitive if disclosure of such data would pose increased social, reputational, financial, legal, employability, or insurability risk to the research subjects. Sensitive identifiable human subject research data must adhere to requirements that mandate that researchers protect the privacy of subjects and maintain confidentiality of human subject data.

Data Classification Level: High

Governing Authority: Federal Policy for the Protection of Human Subjects ("Common Rule")

Responsible Operating Unit: Office of Research Compliance

Examples: Identifiable information in the context of sensitive identifiable human subject research refers to information containing one or more data elements that can be combined with other reasonably available information to identify an individual. Examples of such may include, but not be limited to: social security number, health care record number, statements about an employer, illegal behavior, instances of intimate partner violence, information about an individual's mental health, or genetic information.

List of IT Services & Tools

For the definition of terms related to the categories below, please reference the Glossary of Permission Levels.

Acceptable IT Services & Tools:

  • Qualtrics
  • REDCap including MyCap
    • Note: To utilize the MyCap app with HIPAA Data you must first consult with the information security office.

Consultation Required:

  • NAS departmental shared storage ( - With OIT consultation to ensure data encryption.
  • NAS individual home storage ( - With OIT consultation to ensure data encryption.
  • OnBase - With OIT consultation.
  • OneDrive/M365 Groups - With OIT consultation and Group setup according to the Storing Sensitive Data within OneDrive Standard.

Not Permitted IT Services & Tools:

  • Learning Management Systems: Blackboard and Canvas
  • Adobe Creative Cloud
  • Personal OneDrive/M365 individual accounts
  • PeopleSoft
  • Personal cloud storage accounts
  • Personal/Non-University owned devices

If you don't see the IT service or tool listed that you wish to use to store data classified as medium or high sensitivity, contact Information Security to determine if it's appropriate for your data type.