Laws & Regulations

ResearchVault is designed to be a compliant environment in which authenticated and authorized researchers can work on restricted data. Note that additional training beyond the technical training to use ResearchVault may be needed.  Additional approvals may also be required before data is released to you, such as IRB approval.

The definition and policies and procedures regarding restricted data can be found in the “Privacy Policy Manual” at under Policies & Procedures.

Regulations and laws that pertain to restricted data

  • ePHI (electronic protected health information) is regulated by the Health Insurance Portability and Availability Act (HIPAA) of 1996 with additional regulation by the Health Information Technology for Economic and Clinical Health (HITECH) act of 2009
  • The Family Educational Rights and Privacy Act (FERPA) of 1974 protects data about students, including grades
  • Social security numbers (SSN) are restricted data
  • Some intellectual property (IP) rights on information, software, papers or reports need to be protected, e.g. to ensure the possibility to file a patent.
  • International Trade of Arms Regulations (ITAR) specifies that certain types of information, including software and result files, cannot be exported to certain countries. Showing such information to a citizen of a foreign country is considered export.
  • The Federal Information Systems Management Act (FISMA) of 2002 describes how information systems must be managed to ensure confidentiality, integrity, and availability of data (CIA).

Initially ResearchVault will be approved for

  • ePHI
  • SSN
  • IP

In the near future, ResearchVault will be approved for ITAR projects.

The University of Florida has a FISMA “moderate” system for research projects that require it. ResearchVault will be certified for projects that require a FISMA “low” rating.