Projects in the Protected Environment

If your data are deidentified and not subject to regulation or contract, there is no requirement to use the Protected Environment or other secure computing environments, unless specified in a data use agreement or similar document. For more information on what information is protected, please see a summary of the HIPAA Security Rule.

It may be that your project needs can be served by using the REDCap (Research Electronic Data Capture) tool. REDCap can be used to create web-accessible forms, a secure database with continuous auditing, and a flexible reporting system. More information can be found on the REDCap training page. To determine whether the REDCap tool fits with your project, please contact REDCap Support or see ServiceNow - Survey Tools for more information.

The University of Utah instance of Box, https://box.utah.edu, can be used to store PHI (according to the Acceptable Use Policy, visible on the aforementioned page). To use the Box instance for PHI, users need to create a specific University of Utah Box account. Personal accounts cannot be used. If you only need a storage space (for a volume of data below the limit on Box) for your project, you likely do not need PE resources. If you need to store and process data (HTC, HPC, SQL, etc.) or use SAS/STATA and other applications, your project's needs are likely better served via the CHPC's PE.

Depending upon the scope of the project, an Inherent Risk Survey may need to be done by the Information Security Office (ISO) Governance, Risk & Compliance (GRC) group. For more information, please see Policy 4-004. If necessary, a risk assessment and mitigation plan must be approved by the Information Security Office. In addition, a satisfactory scan report must be completed. For more information about the process, contact this group via iso-grc@utah.edu.

If there is any information sharing with third parties, an information sharing assessment form (ISAF) needs to be initiated with the Privacy Office to determine whether a Business Associate Agreement needs to be put into place. The ISAF must be completely filled out by the requesting department and returned for evaluation to determine the need for a Business Associate Agreement or other agreement to protect the information being shared. The ISAF form can be found on the Business Associates page. Please refer to the university's Privacy Office for details and help (and keep the CHPC informed). Please be sure to send the CHPC any existing contracts or BAAs you may have with third parties.

If there are or will be any accounts provided for people outside the University of Utah (e.g., researchers from another institution), a University of Utah Non-Employee Confidentiality and Security Agreement must be signed and sent to the CHPC for our records. Please contact us if you have any questions about this form and when it is needed.

If the new project needs additional storage, you may purchase additional project space. See the PE storage page for details about storage options and prices.

Virtual machines provide specialized environments when the HPC cluster and Windows server do not address your project's needs.

If the project requires a new VM to be provisioned, you will be notified when this is complete. If you have not yet discussed the VM requirements with CHPC, we will reach out to confirm these. We may schedule a call or meeting with you. Any PE virtual machine requests must come from the PI (or co-PI); see 1.4.2 Virtual Machine Allocation Policy. For VM block sizes and costs, please refer to the VM documentation page.

For information about allocations on the redwood cluster, please see the allocation documentation. Allocations are requested through a separate form and are not a part of the Needs Assessment. Requests can be made by the PI of the project or his/her delegate, provided the delegate also has a PE account.

As in our General Environment, users in groups without allocation can run in the freecycle mode on general nodes or as guest on the owner nodes, subject to preemption by jobs with allocation or owner jobs, respectively.

Research groups can purchase compute nodes that are added to a CHPC-operated cluster. Researchers from the research group that owns a node have priority access to the node. If you are interested, please contact us; we can provide quotes for nodes. Nodes may be purchased by contacting the CHPC directly; this is not a part of the Needs Assessment.

If the project you would like to access does not yet exist in the PE, please see the section on setting up a project.

When you request access to a project in the PE, you'll need to know the details of the project, including the number or name of the project (typically the IRB record number, if applicable) and the name of the Principal Investigator. Your name must appear on relevant IRB or RGE records.

After your PE Request is reviewed, you will receive an email invitation to participate in training. Please note that you must complete the training even if you have already completed the University of Utah HIPAA training. While we understand that this will be a duplication of training for a number of our PE users, the training does not take long and can be completed in 10–15 minutes. This training will need to be renewed each year; we will send out an announcement when it is time to renew your training.

Duo is an additional authentication step for additional security. If you don't already use Duo, you will need to visit the Duo management page and register your device to the campus two-factor authentication service. Afterward, please notify the CHPC that you've completed the Duo registration; we will associate your Duo account with the proper CHPC PE group. We will notify you when this is complete.