Regulated research involves data, materials, or activities requiring special legal, ethical, or contractual protections. These projects need additional oversight and controls for how work is conducted, stored, and shared.
In collaboration with Yale Information Security Office (ISO), we’ve compiled links to essential policies and security standards for regulated research at Yale to help you understand and meet your regulated research project requirements.
Data Classification at Yale
Yale’s Data Classification Policy groups data into three risk levels based on data’s importance, sensitivity, and potential for misuse. Explore the expert guidance and policy requirements to ensure compliant transmission, storage, and processing of your data.
External Obligations
Your research data may be subject to external obligations, such as HIPAA, FERPA, or NIST 800-171. Identifying which obligations apply to your work helps you select appropriate computing resources and security controls for your project.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) establishes rigorous standards for protecting sensitive data involved in human subjects research, including Protected Health Information (PHI) and electronic Protected Health Information (ePHI).
NIST 800-171
NIST 800-171 is a federal security standard that establishes requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Researchers working with certain types of sensitive data must ensure their computing environments meet these security controls.
National Institute of Health’s Controlled Data Regulations
The National Institute of Health (NIH) sets security and operational standards for NIH-controlled-access data and repositories and provides best practices for users to follow. Visit their website for a reference table listing NIH Controlled-Access Data Repositories (CADRs) to help you determine the compliance requirements for your data.
