REDCap, Send Secure and the IS Email Security Policy

Emailing via REDCap is equivalent to sending an email from Outlook. It comes from your project/study designated email, goes through Partners mail server and is delivered as a standard email WITHOUT encryption.

When sending PHI via REDCap emails, you must secure the content. These are your options:

For any of these options, you MUST remove all medical content, diagnoses, study descriptors, medical questions, or any other PHI from the email SUBJECT.

1) Use SEND SECURE: Please note that SEND SECURE makes the user click on a link and register an account to access the email body/text. The account initiation can deter participants from accessing and reading the email. See this article on the user experience: HOW TO OPEN A SEND SECURE EMAIL

2) Use REDCap Survey Login feature: Remove all medical content, diagnoses, study descriptors, medical questions, or any other PHI from the REDCap survey invite and reminder email subject and email body/text. Move all this information into the REDCap survey. The subject will need to authenticate (log in) to the survey before they can view and complete the survey. The respondent will log in to the survey by entering one or more known values for fields in the project (up to three) - e.g., last name, date of birth. These values must already be saved in the respondent's record in the project. Those values may have been entered or uploaded by a project user/admin or may have been entered on a previous survey by the respondents themselves.

3) Document Participant Encrypted Email Opt-Out: Study participants consent/agree to receive study related information via unencrypted emails (REDCap survey invites/reminders)

 
All text of outreach to subjects for clinical research, including emails, must be reviewed and approved by the IRB.

Contact EDC Support for questions about REDCap. 

Policy / References

PHRC IRB FAQ's about communication with research subjects

How do I get and document someone’s agreement to communicate by non-secure email?
Individuals may read or have read to them the following information, and then can agree by signing or verbally acknowledging that they agree to receive un-secured email. Researchers are required to document this agreement, including the date of the agreement, by noting it in research records, or retaining the participant’s a signature.

Required Warning Language: Before sending or responding to an unencrypted email message to an individual, the individual must acknowledge understanding of, and agreement to accept the risks as communicated to them via the following language (this language must be copied into an email response to an individual, or may be read over the phone to the individual, or an individual could agree by reading this in person and signing this or simply agreeing verbally):

“The Mass General Brigham standard is to send email securely. This requires you to initially set up and activate an account with a password. You can then use the password to access secure emails sent to you from Mass General Brigham. If you prefer, we can send you “unencrypted” email that is not secure and could result in the unauthorized use or disclosure of your information. If you want to receive communications by unencrypted email despite these risks, Mass General Brigham will not be held responsible. Your preference to receive unencrypted email will apply to emails sent from this research group/study only.”

Partners IS Email Security Policy

Exception: Due to state law, email containing patient last and first name or initial, in combination with any of the following identifiers must always be encrypted (workforce must not send unencrypted email if it includes these data elements):

A.  Social Security Number

B.  Driver's license number or state-issued identification card number

C.  Financial account number, credit or debit card number


Related articles