Is REDCap HIPAA compliant? Can it store PHI and Confidential Information?
Yes, REDCap is validated by ERIS / EDC Support team to ensure it meets HIPAA Compliance. REDCap is also assessed by the Partners Information Security Risk Assessment Team to ensure compliance with all Partners HealthCare policies.
Is 21 CFR Part 11 compliant?
REDCap has the features necessary to serve as the database component of a 21 CFR Part 11 compliant study. However, a project in REDCap must have policies, procedures, training, validation and documentation meeting the requirements of Part 11 and the predicate rules for the underlying legislation. An FDA auditor will review all project documentation to determine AT THE PROJECT LEVEL if a study is compliant.
The REDCap Consortium's Part 11 Compliant Project's goal is to develop a REDCap “Compatibility” Module and help create supporting documentation and templates. At best, REDCap software can offer an application containing the required technical requirements of a compliant system. The ERIS team / EDC Support can supplement some validation documentation. The majority of the documentation, training, policies, and project validations are the responsibility of the research investigator.
For more information see articles:
- What is 21 CFR Part 11?
- 21 CFR Part 11: SDLC and Systems Validation
- ERIS Approach to 21 CFR Part 11 Systems Validation
Can I use REDCap for studies requiring 21 CFR Part 11 compliance?
If your study is at low risk for an FDA audit (some Phase I and II trials) or is collecting all source documentation on paper, REDCap may be an acceptable solution. If you're working with a sponsor, you should seek written approval before using REDCap. Some sponsors, specifically industry sponsors, require all systems are proven Part 11 compliant and REDCap is currently not proven compliant.
Language to include for written approval:
"REDCap (Research Electronic Data Capture) is a web-based application hosted by Partners HealthCare Research Computing, Enterprise Research Infrastructure & Services (ERIS). Vanderbilt University, with collaboration from a consortium of academic and non-profit institutional partners, develops this software application for electronic collection and management of research and clinical study data.
The REDCap Consortium is composed of thousands of active institutional partners in over one hundred countries who utilize and support REDCap in various ways. The REDCap Consortium's Part 11 Compliant Project's goal is to develop and maintain documentation and system features to ensure regulatory compliance. The FDA does not provide an overarching determination of compliance for any application. Only after a successful FDA audit of a study using REDCap, will it imply that REDCap can be used in compliance with 21 CFR Part 11. This has yet to happen across the REDCap Consortium or here at Partners HealthCare. As validated by Partners HealthCare, ERIS, and supported by Partners HealthCare Policies, REDCap has the controls necessary to collect data for 21 CFR Part 11 compliant studies. ERIS EDC Support will supply the required software validation documentation in cases of an FDA audit. The additional testing/validation of REDCap for specific study workflows and data collection, documentation, training, and policies are the responsibility of the research investigator."
When will REDCap be 21 CFR Part 11 compliant?
The FDA does not provide an overarching determination of compliance. Even after a successful FDA audit of a study using REDCap, it will only imply that for that specific study, REDCap was used in compliance with 21 CFR Part 11. This has yet to happen across the REDCap Consortium or here at Partners HealthCare.
Go to: Table of Contents