Using RHI Data

Research Health Information (RHI) is any individually identifiable information obtained or generated through research activities exclusively for research purposes, and is an important element in many research projects at The Ohio State University. Due to the personal and sensitive nature of RHI, researchers have a duty to protect it and make every effort to gather, store, use and dispose of this information as securely as possible. The Digital Security and Trust (DST) team within the Office of Technology and Digital Innovation is committed to helping researchers securely handle RHI so they can more effectively focus their research.

If you need help or have questions about RHI data, please reach out to us at

Security Plans 

A security plan is designed to keep your data safe from unintentional destruction or disclosure, ensuring the resiliency of your study so it can progress. An RHI security plan is generally focused on answering these questions:  

  1. Where is the data coming from?  

  1. Where will the data be stored?  

  1. Who needs access to the data?  

  1. Are there individuals external to OSU?  

  1. Do individuals with access to the data need to be able to modify the data? Or do they only need to be able to see the data?  

  1. What is the plan for disposing of the data when it is no longer needed?  

  1. Is there an application needed to ingest the data?  

These questions need to be answered and understood by both the researcher(s) and IT staff supporting the researcher(s). Depending on the study, there may be additional questions to answer or additional details to account for. It is imperative that a security plan is agreed upon with your unit IT staff and the owner data owner.  

The DST team is available to assist in the generation of your security plan and answer any questions.  

Data Storage

RHI data is classified as S4 (Restricted) according to Ohio State's Institutional Data Policy (IDP). This means that a considerable amount of care needs to be taken with the data, but fortunately there are multiple options available. 

Cloud Storage: Microsoft 365, Microsoft Azure and Amazon Web Services (AWS) are all cloud services approved for S4 data storage.  

  • If you wish to use a cloud service not listed above, it must undergo a risk assessment before being implemented.
  • OTDI maintains a Cloud Services Registry with detailed information on using AWS and Microsoft Azure applications and the level of data they are approved for. 
  • OTDI also maintains a Cloud Assessment Registry for all third-party cloud services that have gone through the university risk assessment.  

Equipment/Non-Cloud Storage: Your unit’s IT staff must be consulted to ensure any equipment or non-cloud storage is available and configured to S4 standards before being used for the research project.  

DST is available to assist in facilitating these discussions.   

Risk Assessments

If a cloud application is to be used to interact with the data in any way, and this application has not already been assessed, then it must be submitted for a risk assessment. More details about this process are available on Cybersecurity's risk assessment webpage.

See "Data Storage" above for more information about already approved cloud resources.

Data Sharing 

When transferring RHI data, IT staff should always be involved to ensure safe handling of the data. If the recipient and transfer process were not already established in a security plan and you are unsure of whom to contact, please email and we will work to get you in touch with the proper staff. 

Disposal of Data

To ensure proper disposal of your RHI data, please consult with your unit IT staff or email for assistance.