Is REDCap HIPAA compliant? Can it store PHI and Confidential Information?
Yes, REDCap is validated by ERIS / EDC Support team to ensure it meets HIPAA Compliance. REDCap is also assessed by the Partners Information Security Risk Assessment Team to ensure compliance with all Partners HealthCare policies.
Is 21 CFR Part 11 compliant?
REDCap has the technical features necessary to serve as the database component of a 21 CFR Part 11 compliant study. However, a project in REDCap must have policies, procedures, training, validation and documentation meeting the requirements of Part 11 and the predicate rules for the underlying legislation. An FDA auditor will review all project documentation to determine AT THE PROJECT LEVEL if a study is compliant.
The ERIS team / EDC Support can supplement some validation documentation. The majority of the documentation, training, policies, and project validations are the responsibility of the research investigator.
For more information see articles:
- What is 21 CFR Part 11?
- 21 CFR Part 11: SDLC and Systems Validation
- ERIS Approach to 21 CFR Part 11 Systems Validation
What documentation do I need for my REDCap PROJECT to be 21 CFR Part 11 compliant?
Each project that would like to use REDCap in compliance with 21 CFR Part 11 Compliance will be responsible for validating their use of REDCap for their specific project workflows. This validation would consist of documenting at minimum, their Validation Plan, Project Requirements, Project Test Plan and Project Tests. For example:
Project Validation Plan:
Partners HealthCare plans for two major upgrades per year (LTS) with minor upgrades as needed to address security issues and critical bugs. Study teams receive notification prior to the upgrades with detailed release notes. If the updates impact project workflows, they should be identified and retested within a designated time frame (1-2 days / weeks from release date). If updates do not impact project workflows or data collection, full test suites do not need to be completed.
This could be implemented/documented with something as easy as a checklist: Reviewed Release Notes; Impacts Project OR Does NOT Impact Project
If there are new features that the project would like to incorporate, the study team should evaluate and add to Project Requirements and initiate a new Project Validation Plan and Project Tests. This would be advised for any changes to the project the study team initiates.
- Questionnaires / Instruments Specification - defines the questions and data to be collected, includes branching logic, required fields, field validations, min/max,
- Project Settings - longitudinal, surveys, repeating forms/events enabled/disabled
- Modules / Custom Features - list all features and modules that will be used: reports, data quality
- Integration - document if REDCap is part of a bigger workflow; system infrastructure
Based on the Validation Plan and the Project Requirements, Project tests can be developed to ensure all required features and functionality will work appropriately.
What if a Sponsor asks about REDCap's 21 CFR Part 11 compliance?
If your study is at low risk for an FDA audit (some Phase I and II trials) or is collecting all source documentation on paper, REDCap may be an acceptable solution. If you're working with a sponsor, you should seek written approval before using REDCap. Some sponsors, specifically industry sponsors, require all systems are proven Part 11 compliant and REDCap is currently not proven compliant.
Language to include for written approval:
"REDCap (Research Electronic Data Capture) is a web-based application hosted by Partners HealthCare Research Computing, Enterprise Research Infrastructure & Services (ERIS). Vanderbilt University, with collaboration from a consortium of academic and non-profit institutional partners, develops this software application for electronic collection and management of research and clinical study data.
The REDCap Consortium is composed of thousands of active institutional partners in over one hundred countries who utilize and support REDCap in various ways. The REDCap Consortium's Part 11 Compliant Project's goal is to develop and maintain documentation and system features to ensure regulatory compliance. The FDA does not provide an overarching determination of compliance for any application. Only after a successful FDA audit of a study using REDCap, will it imply that REDCap can be used in compliance with 21 CFR Part 11. This has yet to happen across the REDCap Consortium or here at Partners HealthCare. As validated by Partners HealthCare, ERIS, and supported by Partners HealthCare Policies, REDCap has the technical controls necessary to collect data for 21 CFR Part 11 compliant studies. The additional testing/validation of REDCap for specific study workflows and data collection, documentation, training, and policies are the responsibility of the research investigator."
When will REDCap be 21 CFR Part 11 compliant?
The FDA does not provide an overarching determination of compliance. Even after a successful FDA audit of a study using REDCap, it will only imply that for that specific study, REDCap was used in compliance with 21 CFR Part 11. This has yet to happen across the REDCap Consortium or here at Partners HealthCare.
Go to: Table of Contents