Electronic Data

• Personal health information (PHI): This is defined by HIPAA law and includes personal identifiers that are associated with medical information other than patient/subject self-reported information that may pertain to health. Information/data from medical records is considered PHI.
• Personal identifying information (PII): For the purposes of this policy, this includes information that identify a person including any or all the following: (1) names; (2) social security numbers; (3) birth dates; (4) addresses; (5) IP addresses; (6) other data that could reasonably lead to discovering a personal identity.
• Server: A server is a computer device with software that networks/links PCs and databases or web applications.
• PC/Personal computer: A standalone or networked computer as a desktop device.
• Laptop: A portable computer that includes traditional laptops, netbooks, and other portable computing devices that generally have full-range PC capacities.
• External drives: This includes everything from jump drives to external hard drives.
• Security tokens: Jump drive-like devices that contain security codes or de-encryptions to allow access to secure web-based data sets.
• Smartphones and other mobile devices: Portable devices that send and receive calls, emails, text phone messages, or other communications.
• Virtual Private Networks (VPNs): The university allows access to selected drives and folders on university servers from remote locations using software provided by the UK phone system. With a VPN, a researcher can connect to files from off-site computers using either Ethernet or wireless connectivity. VPNs are password-protected.
• File Transfer Protocols (FTPs): FTPs are used to transfer data from off-site computers to main campus servers via web connections to specified server files. 

The recommended electronic devices for entering and storing human subjects data are secure servers or stand-alone PCs that have encryption software for all PHI or other identifying data. 

• Stand-alone PCs can be used for data storage of de-identified data without encryption, but with password protection and access restricted to approved study personnel over the use of the PC.
• Server-based PHI or other identified human subjects data should be behind a firewall and be encrypted (e.g., OneDrive).
• Anonymous data that cannot be tracked back to a person, using cue information in the data set matched to other data sources, can be stored on servers without encryption, but still would require authorized password access.

• All students, faculty, and staff have access to OneDrive as a part of the Microsoft 365 account linked to their LinkBlue user ID and password.
• LabArchives - Electronic Research Notebook (ERN) institutional license for the UK research community. The ERN service is a secure, cloud-based software designed to replace paper notebooks and to move research record-keeping. It facilitates data storage, retention, and management of data. It enables original/raw data to be provided to those who request it and the ability to easily transmit and share data among any number of UK users; access rights are controlled by the Notebook Owner/Administrator.
• Advarra eSource and Electronic Data Capture administered by the Clinical Research Support Office (CRSO) for FDA-regulated investigations requiring compliance with FDA Part 11. It provides robust traceability of data entered or modified within the electronic forms. The EDC system will help streamline data collection, management, and monitoring/review. The system also provides the ability to capture electronic approval signatures of collected subject data. This system will enhance overall data integrity and quality for investigator-initiated studies enterprise-wide, especially those regulated by the FDA.

UK Information Technology (ITS) Approved Software – Sign in with UK LinkBlue ID to view instructions and the list of approved software applications.

Laptops may be issued by sponsors for specialized projects. These laptops are likely to have a high degree of security built in. However, sponsor-provided laptop devices should meet the same criteria as stated below.

• The device uses software that encrypts all personal health information (PHI) or other personal identifying information (PII).
• The data are formatted such that PHI or PII data are in files or tables kept separate from any clinical or research information about the persons.
• All files are password-protected in addition to the laptop having a password.
• Laptops can be used for anonymous data collection without encryption.

Only to be used under the following conditions:

• The jump drive uses files that have software to automatically encrypt the entire jump drive, including all PHI or PII.
• ORI does not recommend storing any clinical information on jump drives.

• Web-based PHI or PII data should be put into a secure web server (https), and the server should encrypt any PHI or other identifiers upon submission. The server should be behind a firewall.
• Web-based anonymous need not be encrypted. Firewall protections are advised but not essential.
• Sponsor web-based data sets may require the use of a security token, like two-factor authentication, to access files. Security tokens decrypt files and open them for investigators to do data entry. These devices are acceptable for web-based data entry.

• The device uses software that encrypts all PHI or PII.
• The data are formatted such that PHI or PII are in separate files or tables from any clinical or research information about the persons.

PHI or PII should be limited to email communications that are sent/received from a university-issued email address and a computer connected to a UK Medical Center (MC) firewall. Type #Secure or #Encrypt at the beginning of the subject line.

The university provides access to secure survey platforms. REDCap (Research Electronic Data Capture) is a secure, web-based application designed exclusively to support data capture for research studies. UK also has a site license for the Qualtrics tool for online survey creation, distribution, and reporting. 

Independent commercial survey programs where the data resides on servers owned by the survey (third-party) company. Investigators should obtain information about the tool’s security and privacy protections, including learning whether user IP addresses are captured and saved during completion of the surveys. Despite their stated privacy policies, many vendors, especially those who promote freeware, do in fact share IP addresses with their consortium of investors, and thus, absolute anonymity cannot be guaranteed to survey respondents.

The UK informed consent and survey templates include sample language regarding the protections and their limitations.  For more information, see the UK IRB Survey Research Webpage.

Use UK Healthcare or Campus Zoom Platforms with a unique meeting ID and password. 

The Office for Civil Rights, which administers HIPAA, has provided lists of platforms with end-to-end encryption.

• The UK Library provides resources for managing, analyzing, and sharing research data.
• NIH Security Best Practices for Users of Controlled-Access Data require that data managed on institutional IT systems and third-party computing infrastructures that meet certain standards in accordance with NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Effective on January 25, 2025, adherence to this standard will be included in new or renewed Data Use Certifications or similar agreements stipulating terms of access to controlled-access human genomic data, regardless of whether the Approved User is supported by NIH or not. View the list of repositories here. If your research involves data from one or more of these repositories, you are impacted by these new policies and must follow the instructions provided. If impacted, complete the REDCap (Research Electronic Data Capture) survey to be contacted by a consultant.