IRB Security Review

In the IRB Security Review process, our team works with research coordinators to evaluate security risks involved in the research process. With a particular eye toward securing personally identifiable information (PII) and protected health information (PHI), we’ll assess the suitability of selected tools and services, as well as the security of proposed data flows. This process empowers our researchers to make better security decisions for protecting the privacy of their participants and securing data throughout the research process.

To begin and IRB Security Review, users need to complete a form in OneTrust.

Guidance

• Please be prepared to upload a copy of the proposed data flow, the research protocol, and consent/assent forms.
• When the review is complete, the OIS reviewer will send the requestor a copy of the security assessment report. The report will be sent as an attachment to the requestor’s WashU email address.

Creating a New Form

1. From the Forms page on the OIS website, click “IRB Security Review.”
2. Enter your WUSTL email address in the OneTrust login page. If you aren’t already logged in with DUO, you will be prompted to complete our WashU 2FA process

3. From the Self-Service Assessment main page, click “Launch” under IRB Security Review.

4. Enter a name for your Assessment. Please use the following format “IRB-department name your last name.”

5. In the sidebar to the left, please click on the questions for IRB review.

Form Questions

1.1 – Enter the contact name for the project.

1.2 – Enter the contact email for the project.

1.3 – Enter the project name and the IRB project number.

1.4 – Enter the name of the HRPO representative

1.5 – Please submit protocol, content/assent and any other supporting documents for this project by clicking on the paperclip icon below. An attachment is required.

1.6 – Provide a short summary of the purpose of the technology and how it pertains to the study. For example, why HRPO routed you to the Office Information Security. Please do not copy out of protocol.

1.7 – Will this project collect protected health information (PHI) or personally identifiable information (PII)? Please select “yes” or “no”.

If you answered “yes” to 1.7 please answer questions 1.8-1.15.

1.8 – Identify all specific PHI, PII elements that will be collected, stored, or transmitted.

1.9 From the same list, identify what specific PHI will be shared with the vendor or sponsor.

1.9 – Using the same list from above, identify all PHI and/or PII that will be shared with the vendor or sponsor.

1.10 – Identify how the PHI data will be transmitted in the textbox below.

1.11 – Identify where the PHI and/or PII will be created, stored, or transmitted. For example, network share, workstation, laptop, USB, or external site. Please provide product and vendor names in the text box.

1.12 – If you are using a vendor, please indicate where WashU has a Business Associate’s Agreement (BAA) with the vendor. Please select “yes” or “no.”  For more information about BAAs, please visit The HIPAA Privacy Office BAA page Business Associate Agreement (BAA)  | HIPAA Privacy Office | Washington University in St. Louis

1.13 – Please attach a flow chart that covers how data goes to and from the vendor, as well as where the data rests. An attachment is required.

1.14 – If the data is de-identified, describe the process to de-identify the data. Is this process manual or automated with software?

1.15 – Will there be any affiliated hospital systems (BJC) devices, data, equipment, or workforce members involved in this project? Please select “yes” or “no”.

If you answered “yes” to question 1.15, please answer questions 1.16-1.17.

1.16 – Please explain which affiliated hospital system (BJC) devices will be used in the text box.

1.17 – Have you consulted with our affiliated hospital system (BJC) on the study? Please select “yes” or “no”.

1.18 – Will this project utilize A.I (Artificial Intelligence)? Please select “yes” or “no”.

1.20 – Will the research information be stored on a WashU supported device? Please select “yes” or “no”.

1.21 – Will there be any reports delivered on this project, for example, sending things to sponsors, coordinating sites, etc.? Please select “yes” or “no”.

If you answered “yes” to question 1.21, please answer question 1.22.

1.22 – How will the report be delivered to the outside entity? Please select all that apply and justify your response in the text box below.

1.23 – Are you using social media for outreach? Please select “yes” or “no”.

If you answered “yes” to question 1.23, please answer question 1.24.

1.24 – How do you address social media outreach in your informed consent? Please type your answer in the text box below.

1.25 – Is the data you are capturing de-identified? If the data you are capturing contains PHI/PII, then it is considered an identified data set. Please select “yes” or “no”.

1.26 – Is this a multi-center study? Please select “yes” or “no”.

If you answered “yes” to question 1.26, please answer questions 1.27-1.28.

1.27 – Is WashU the coordination location for the data? Please select “yes” or “no”.

1.28 – What type of data will be hosted by the data coordinating site? For example, identifiable, limited-set, or de-identified. Please answer in the text box below.

1.29 – Will a survey be used in the study? Please select “yes” or “no”.

If you answered “yes” to question 1.29, please answer questions 1.30-1.31.

1.30 – Please provide a copy of the survey as we would like to see all questions being asked to participants. An attachment is required.

1.31 – Who will host the survey and where will the data be stored? Please choose from the list or use the justification box to list another option.

1.32 – Will a mobile app be used? Please select “yes” or “no”.

If you answered “yes” to question 1.32, please answer questions 1.33-1.34.

1.33 – How long is the data stored on the local device? For example, does the data immediately get moved from the device to a backend database, or does it sit on the device for any length of time?

1.34 – Is geolocation tracked for the participants? If so, please explain why this is needed in the text box.

1.35 – Will the study capture audio and/or video recordings? Please select “yes” or “no”.

If you answered “yes” to question 1.35, please answer questions 1.36-1.41.

1.36 – If audio and/or video recordings will be captured, please choose between audio, video, or both.

1.37 – How will the session/interview be recorded? Please describe in the text box below.

1.38 – How will the device used to record the session be secure?

1.39 – Where will the recording be stored? Please describe in the text box below.

1.40 – How will the recording be transmitted? For example, over the internet, SMS or another method.

1.41 – How will the recording be secured? Please describe in the text box below.

1.42 – Will you be using transcription services? Please select “yes” or “no”.

If you answered “yes” to question 1.42, please answer question 1.43.

1.43 – What transcription service were you planning to use? Please describe in the text box below.

Once you have answered all required questions, the “Submit” button will become available. Click it to submit your form or click “Save and Exit” to come back later.