Research Compliance

Overview:


Regardless of where or in what form (paper, electronic or otherwise) research data is stored, researchers are responsible for ensuring proper protection. For the most part, this means using BU managed computers and services reviewed by BU Information Security (this webpage).

But a good security program requires more than InfoSec – it requires everyone to participate. Most importantly, the PI or department administrator must remove researchers and staff from apps – such as SharePoint and REDCap – when they leave BU or the research project.

Likewise, the PI or department administrator must remove researchers and staff from the BU Restricted Use network drive (aka BUMC Y Drive) when they leave the research project, by sending an email to bumchelp@bu.edu. We also recommend that you periodically, ideally quarterly but at least on an annual basis, send an email to bumchelp@bu.edu requesting who has access to your Y Drive folders.

BU reviewed and cleared Storage Options:

BU reviewed and cleared Server Option:

    BU reviewed and cleared Apps:

    BU REDCap

    • HIPAA compliant for both BU and BMC.
    • Robust and powerful survey tool.
    • Can be used to send videos and brief messages to research subjects via email.
    • For an additional cost, Twilio can be used to send surveys and messages by text messages.
    • Twilio’s methods:
      • ALLOWED
        • Initiate survey as voice call
        • Send survey invitation with survey link via SMS
        • Send survey invitation via SMS to take survey as voice call (respondent makes call)
      • NOT ALLOWED
        • Initiate survey as SMS conversation
    • Surveys can be simple as one question, to extremely advanced.
    • You can also schedule reminders for surveys.
    • Has built-in scheduling module and project calendar.
    • You can access more information about the application at:

    BU Office 365

    • HIPAA compliant for BU
    • Can be used to share larger files with BU and non-BU collaborators.
    • We recommend that:
      • Research teams use SharePoint sites that can have multiple subsites.
      • Individual team members use OneDrive to share files and folders, even with non-BU collaborators.
    • Office 365 provides the following HIPAA compliant services:
      • OneDrive, SharePoint, Teams, Power Apps, Power BI, Access Online, Bookings, Dynamics, Flow, Forms, Graphs, InTune, MyAnalytics, Office Delve, Office Online, Planner, Power Apps, Project Online, StaffHub, Stream, Sway, To-Do for Web, Video, Whiteboard, Yammer
    • NOTE: This is a BU managed service provided by Microsoft.
    • You can access more information about the application at:

    BU Teams

    • HIPAA compliant for BU
    • Can be used for communication within research subjects.
    • A link can be sent to any email address.
      • Does not have to be a BU email.
    • NOTE: This is a BU managed service provided by Microsoft.
    • You can access more information about the application at:

    BU Zoom

    • Can be used for collaboration and meetings.
    • We have two types of accounts:
      • Standard – Cannot be used by BU HIPAA Components
      • HIPAA – it cannot record or transfer data (HIPAA compliant for BU).
    • NOTE: This is a BU managed service provided by Zoom.
    • You can access more information on the application at:

    BU Data Motion

    • HIPAA compliant for BU
    • It secures emails containing Restricted Use data.
    • There is a normal data transfer amount but you can ask to increase it to 100 Mb.
    • NOTE: This is a BU managed service provided by Data Motion.
    • You can access more information on the application at:

    BU Qualtrics

    • HIPAA compliant for BU
    • Simple survey tool for research and general purposes
    • NOTE: This is a BU managed service provided by Qualtrics
    • You can access more information about the application at:

    BU Freezer Pro

    • HIPAA compliant for BU
    • Sample management tool for research purposes
    • You can access more information about the application at:

    BU OnBase

    • HIPAA compliant for BU
    • OnBase is a full featured, fully integrated enterprise document management system for capturing, imaging, routing, managing, sharing, and archiving documents online.
    • NOTE: This is a BU managed service provided by OnBase.
    • You can access more information about the application at:

    BU GoReact

    • HIPAA compliant for BU
    • Platform for recording and commenting on videos
    • NOTE: This is a BU managed service provided by GoReact.
    • Reach out to ithelp@bu.edu to be given access through Blackboard

    BU Code42 Backup Service (formerly Known As Crashplan)

    BU FileMaker

    Apps not managed by BU:

    Since these apps are not managed by BU, accounts need to be removed or disabled when no longer required.  Please also encourage staff to use strong passwords and two-factor authentication, even if not required.

    Asana

    • Cannot be used by BU HIPAA Components
    • Can be used for project management.
    • Cannot be used for Restricted Use data (confidential only).

    Agile

    • Cannot be used by BU HIPAA Components
    • Can be used for patient or research subject communication, usually for health reminders.
    • A coordinator must be appointed to complete quarterly access audits.

    Monday

    • Cannot be used by BU HIPAA Components
    • Can be used for team management and research subject communications.
    • If identifying patients using Monday (e..g, email, address) must use strong passwords and two-factor authentication.

    Seqster 

    • Can be used to collect patient medical records from multiple sources (e.g., BMC or Partners Healthcare)
    • Allows the research subject to share all of their records with the research project.
    • Can also be used to replace the use of HIPAA authorization forms.

    Sfax by Scrypt

    • HIPAA compliant for BU
    • Electronic faxing service

    Wellpepper

    • Cannot be used by BU HIPAA Components
    • It is an exercise tracker to engage and connect with patients and research subjects.
    • It can be used for Restricted Use data if passwords are changed every 3 months.

    Washington University in St. Louis REDCap

    • Cannot be used by BU HIPAA Components
    • The use and collaboration with other researchers must be approved by the Institutional Review Board.
    • It has the same features as the BU REDCap.

      Services not managed by BU:

      Daily Transcription

      • HIPAA compliant for BU
      • Transcription services

      Interpreters and Translators

      • HIPAA compliant for BU
      • Interpretation, Translation and Transcription services

      Rev Transcription

      • Cannot be used by BU HIPAA Components
      • Transcription services

      GMR Transcription

      • Cannot be used by BU HIPAA Components
      • Transcription services

       

      Consulting Services:

      In addition to security reviews, we offer consultation for security related questions. To engage us, contact us here.