NIH Data Sharing Plan Guide: Considerations in Data Sharing

Resources: How to Share Sensitive Data

Issues to Consider When Sharing Your Data

In order to ensure that you share your data in an ethical manner, you should:

Sensitive Data and Disclosure Risk

Sensitive data is data that can be used to identify an individual, species, object, or location that introduces a risk of discrimination, harm, or unwanted attention. Major categories of sensitive data are:

  • Human health and personal data, including information about secret or sacred practices; or
  • Ecological data that may place vulnerable species at risk.

Disclosure risk means that a data record from a study could be linked to a specific person or organization, thereby revealing information that otherwise would not be known or known with as much certainty. Concerns about disclosure risks have grown as more datasets have become available online.


Identifiers that could disclose research subjects' confidentiality:

  • Names
  • Addresses, including ZIP and other postal codes
  • Telephone numbers, including area codes
  • Social Security numbers
  • Other linkable numbers such as driver's license numbers, certification numbers, etc.
  • Detailed geographic information (e.g., state, county, province, or census tract of residence)
  • Organizations to which the respondent belongs
  • Educational institutions (from which the respondent graduated and year of graduation)
  • Detailed occupational titles
  • Place where respondent grew up
  • Exact dates of events (birth, death, marriage, divorce)
  • Detailed income
  • Offices or posts held by respondent

HIPAA Regulations and Protected Heath Information (PHI)

Researchers are able to conduct research using patient PHI (protected health information) for research under the following conditions:

  • IRB approval for project & data
  • Patient gives his or her permission to use certain data
  • IRB approved HIPAA Waiver of Authorization required
  • Minimum necessary only
  • De-identify to extent possible (stripped of all direct & indirect identifiers)
  • Research justification for PHI
  • Data Use Agreement (DUA) is in place (note: DUA is the research team’s assurance that it will use HIPAA compliant privacy and security measures to protect data)
  • Data Management/Sharing Plan is in place identifying how the study team will address data privacy & security protections through life cycle of project.

If your research project requires HIPAA compliance, here are steps that you want to consider during the research lifecy

Before Your Project Begins

  • Know data elements
  • Know data source (incoming/outgoing)
  • Follow minimum necessary principles
  • Define user roles
  • Understand privacy & security requirements
  • Store data in a HIPAA compliant environment
  • Engage your institution (e.g. library data services, campus IT services, etc.) early in the discussions
  • Budget for privacy & security costs through data lifecycle
  • Obtain data use agreement (DUA)
  • Understand your institution is the data owner

During Your Project

  • Know who has your data at all times
  • Monitor data security environment periodically
  • Monitor & track PHI use
  • Account for all PHI disclosures (applies if PHI obtained via a HIPAA Waiver)
  • Amend IRB application EARLY when investigators plan to leave the project or the institution
  • Obtain signed DUA from external collaborators’ institution
  • Retrieve data from departing investigators
  • Report suspected security & privacy concerns to the Virginia Tech IRB

After Your Project Ends

  • Minimize improper disclosures – secure data throughout storage period
  • Destroy data if it is no longer needed
  • If data was shared externally, obtain certification of external collaborators data destruction
  • Engage campus IT services and/or University Libraries for long-term data storage options – Budgets should include cost for long-term storage and security