Skip to main content
OSU.edu
    The James

    OSUCCC Administration

    Office of Research Navigation and Compliance

    Data & Privacy

     

    1. Data Types

    • Aggregate: Counts to determine frequency for collected elements or variables (e.g., patient cases).
      • Results are most often used for study feasibility, funding applications, and regulatory submissions.
    • De-identified: All protected health information (PHI) and any possible link to individuals are removed from that data.
    • Coded-Limited: PHI will be removed except for clinical dates (e.g., service, diagnosis, procedure), city, state, zip codes, and age in years, months, or days, or hours. 
      • Patient cases aged 90 years and older should be grouped into a single category (e.g., “age ≥90 = 38 patients”).
    • Identifiable (PHI included): All PHI elements reflected in the IRB-approved protocol or HIPAA waiver appendix, and any non-PHI relevant to the research can be provided.

     

    2. Data Security Levels

    All institutional data is assigned one of four classifications based on compliance, privacy, sensitivity, criticality, operational usage, and risk. Data element classification assignments, including their permitted use, are specified in the IDP Calculator

    Data Level Description
    S1: Public e.g., public-facing website
    S2: Internal e.g., planning documentation, roadmaps, etc. 
    S3: Private e.g., FERPA student data, intellectual property, ethical considerations, etc.
    S4: Restricted e.g., HIPAA, PCI, GLBA, GDPR, ITAR, CUI, etc., or institutionally categorized as S4

     

    3. Clinical Information Extraction/Abstraction for Research Use

    OSUWMC Honest Broker Operations Committee (HBOC):

    • Available data consists of clinical information from the (1) electronic medical record (“IHIS/EPIC”), (2) the James Cancer Registry, (3) Imaging Informatics, and (4) departmental treatment databases, such as those in Radiation Oncology and Pathology.

    OSUWMC Quality Committee:

    • Procedural data requests that involve internal quality or operational improvements for the James and CCC are not considered research.

     

    4. Data Retention and Storage

    The Office of Technology and Digital Innovation (OSU-OTDI) lists university and government resources available for data management and storage best practices, records retention schedules (e.g., five years for research data), records destruction, database records, and public records requests.

    University Libraries provides records management tip sheets and guidance documents to support data organization, file naming, security controls, and Microsoft 365 integration. 

    REDCap:

    The OSU Scarlet and Gray REDCap instances have not been validated for compliance with Title 21 Code of Federal Regulations Part 11 and may not be used for eConsent and/or electronic data capture in FDA-regulated research, or for any other research that requires validation for which REDCap at OSU has not been validated.

    Identifiable patient information should not be stored in REDCap.

     

    5. Artificial Intelligence (AI)

    Artificial Intelligence in Research Guidelines (OSU-ERIK) 

    • Guidance includes information on approved AI use, implications for research and academic misconduct, authorship and peer review, and navigating commercialization and copyrighted content. 

    Guideline: Implementation of AI, machine learning (ML), and predictive models in the clinical setting (OSUMC): 

    • AI, ML, and predictive modeling may improve patient care when used appropriately, but they can also be harmful if implemented without due care. Appropriate implementation required an interdisciplinary team and guidelines to ensure safe, high-quality care for our patients. 

     

    6. Patient/Participant Privacy

    Understanding the HIPAA Privacy Rule (HHS):

    • The standard protects individuals’ medical records and other PHI by regulating how covered entities, such as OSUWMC and CCC, can use and share that data. It also gives individuals rights over their health information, including the ability to access, correct, and control how it is disclosed.

    Research Using Protected Health Information (OSU-ERIK):

    • Review the list of HIPAA identifiers and determine the appropriate dataset type and HIPAA Research Authorization for the research.

    Methods for De-identification of PHI (HHS):

    • Guidance about the methods and approaches to achieve de-identification in accordance with the HIPAA Privacy Rule. It explains and answers questions regarding two methods that could be used to satisfy the Privacy Rule’s de-identification standard: Expert Determination and Safe Harbor.

    Secure Email (OSUSecure) (OSU-IT):

    • Learn how to use Proofpoint Email Encryption when sharing patient information.

     

    7. Traveling with Devices

    OSU-OTDI has published information on traveling to international high-risk areas on the job aid website (after you authenticate, scroll down to "IT 10 Client-related risk" and click to expand that section). In general, investigators should contact their unit/college security coordinators to ensure that devices are ready for travel.