October 18, 2022
Is REDCap HIPAA compliant? Can it store PHI and Confidential Information?
Yes, REDCap is validated by RISC REDCap Support team to ensure it meets HIPAA Compliance. REDCap is also assessed by the Mass General Brigham Information Security Risk Assessment Team to ensure compliance with all Mass General Brigham policies.
Is 21 CFR Part 11 compliant?
REDCap has the technical features necessary to serve as the database component of a 21 CFR Part 11 compliant study. However, a project in REDCap must have policies, procedures, training, validation and documentation meeting the requirements of Part 11 and the predicate rules for the underlying legislation. An FDA auditor will review all project documentation to determine AT THE PROJECT LEVEL if a study is compliant.
RISC REDCap Support can supplement some validation documentation. The majority of the documentation, training, policies, and project validations are the responsibility of the research investigator.
For more information see articles:
What documentation do I need for my REDCap PROJECT to be 21 CFR Part 11 compliant?
Each project that would like to use REDCap in compliance with 21 CFR Part 11 Compliance will be responsible for validating their use of REDCap for their specific project workflows. This validation would consist of documenting at minimum, their Validation Plan, Project Requirements, Project Test Plan and Project Tests. For example:
Project Validation Plan:
Mass General Brigham plans for two major upgrades per year (LTS) with minor upgrades as needed to address security issues and critical bugs. Study teams receive notification prior to the upgrades with detailed release notes. If the updates impact project workflows, they should be identified and retested within a designated time frame (1-2 days / weeks from release date). If updates do not impact project workflows or data collection, full test suites do not need to be completed.
This could be implemented/documented with something as easy as a checklist: Reviewed Release Notes; Impacts Project OR Does NOT Impact Project
If there are new features that the project would like to incorporate, the study team should evaluate and add to Project Requirements and initiate a new Project Validation Plan and Project Tests. This would be advised for any changes to the project the study team initiates.
- Questionnaires / Instruments Specification - defines the questions and data to be collected, includes branching logic, required fields, field validations, min/max,
- Project Settings - longitudinal, surveys, repeating forms/events enabled/disabled
- Modules / Custom Features - list all features and modules that will be used: reports, data quality
- Integration - document if REDCap is part of a bigger workflow; system infrastructure
Based on the Validation Plan and the Project Requirements, Project tests can be developed to ensure all required features and functionality will work appropriately.
- REDCap Project Specifications
- REDCap Project Specification Screenshots
- REDCap Instrument Change History
- Data Quality Rule Test Scripts
- REDCap Project Test Plan
What if a Sponsor asks about REDCap's 21 CFR Part 11 compliance?
If your study is at low risk for an FDA audit (some Phase I and II trials) or is collecting all source documentation on paper, REDCap may be an acceptable solution. If you're working with a sponsor, you should seek written approval before using REDCap. Some sponsors, specifically industry sponsors, require all systems are proven Part 11 compliant and REDCap is currently not proven compliant.
Language to include for written approval:
"REDCap (Research Electronic Data Capture) is a web-based application hosted by Mass General Brigham (MGB) Research Information Science & Computing (RISC). Vanderbilt University, with collaboration from a consortium of academic and non-profit institutional partners, develops this software application for electronic collection and management of research and clinical study data. The REDCap Consortium is composed of thousands of active institutional partners in over one hundred countries who utilize and support REDCap in various ways.
As validated by Mass General Brigham (MGB), RISC, and supported by Mass General Brigham Policies, MGB REDCap has the technical controls necessary to collect data for 21 CFR Part 11 compliant studies. The additional testing/validation of REDCap for specific study workflows and data collection, documentation, training, and policies are the responsibility of the research investigator."
Language for MGB REDCap eConsent Projects: "Mass General Brigham (MGB) has developed a REDCap eConsent Framework that turns the paper-based participant consenting processes into an electronic consent process. Mass General Brigham has validated the MGB REDCap eConsent Framework with respect to appropriate areas of compliance with internal requirements, health authority expectations and other regulatory requirements, including FDA 21 CFR Part 11. The final validation package consists of approved and executed validation plan, requirements, testing documentation and validation summary. These are confidential institutional documents and can be provided to external vendors, sponsors and auditors once proper agreements are in place."
To access MGB REDCap eConsent Framework Validation Documentation, navigate to (MGB login required):
MGB REDCap Resource Center > Regulatory and Security Info
When will REDCap be "certified" 21 CFR Part 11 compliant?
The FDA does not provide an overarching determination of compliance. Even after a successful FDA audit of a study using REDCap, it will only imply that for that specific study, REDCap was used in compliance with 21 CFR Part 11.
Go to: Table of Contents