January 31, 2022
We recommend that projects do not collect unnecessary identifiable information. But when you must, you can use REDCap.
Why do I need to be concerned about protecting PHI in REDCap? Isn't it secured by Partners Research Computing?
Yes, REDCap is a secure application supported by Partners Research Computing, Enterprise Research Infrastructure & Services (ERIS). ERIS has all the necessary physical and operational securities in place to meet or exceed Federal and State security and privacy regulations for data transmission and storage using REDCap.
However, REDCap is a web-based application and the projects are managed by YOU, the project user. This means your project data can be accessed by users for which YOU grant and restrict access. Your project will be accessed via the internet which means it can be accessed from anywhere, including outside the Partners network.
These steps will allow YOU to collect PHI and Sensitive data securely:
1) NEVER SHARE YOUR PARTNERS / REDCap USERNAME and PASSWORD
REDCap users must NOT share or reveal their authentication methods to others. Sharing usernames and passwords means the authorized user assumes responsibility for actions that another party takes within REDCap. Providing IDs or passwords to unauthorized individuals is a BREACH OF CONFIDENTIALITY and is grounds for disciplinary action.
2) Access REDCap ONLY:
- on a secure network (ex: Partners intranet, password protected wifi)
- from a Partners workstation or encrypted, Partners approved mobile device (laptop, iPad)
3) Grant access ONLY to staff, researchers, and external collaborators:
- who are trained in protecting PHI
CITI Training: https://www.citiprogram.org/hips.asp?language=english
NIH Security Training: http://irtsectraining.nih.gov/CSA/0100005.aspx
- who will access REDCap on secured networks and devices that comply with Partners standards
For more information for external collaborators: Adding External Users to REDCap
4) Flag PHI and Sensitive data fields as "Identifiers = Yes"
Run the "Check For Identifiers" module to review all your project variables.
5) Group all contact information required to engage the participant on a separate Data Collection Instrument.
Restrict Access to this instrument in the User Rights > Data Entry Rights.
Grant "NONE" access to ALL users except those users that need this information to follow-up with the participant.
then
6) Grant "None" or "De-Identified" Export Access to project users. Ensure that PHI and sensitive data does not leave the secured REDCap database and is "accidentally" downloaded to a non-secured device.
For more information, please access Partners HealthCare Information Security Policies.