REDCap, Send Secure and the IS Email Security Policy

Emailing via REDCap is equivalent to sending an email from Outlook. It comes from your project/study designated email, goes through Partners mail server and is delivered as a standard email WITHOUT encryption.

When sending PHI via REDCap emails, you must secure the content. These are your options:

For any of these options, you MUST remove all medical content, diagnoses, study descriptors, medical questions, or any other PHI from the email SUBJECT.

1) Use SEND SECURE: Please note that SEND SECURE makes the user click on a link and register an account to access the email body/text. The account initiation can deter participants from accessing and reading the email. See this article on the user experience: HOW TO OPEN A SEND SECURE EMAIL

2) Use REDCap Survey Login feature: Remove all medical content, diagnoses, study descriptors, medical questions, or any other PHI from the REDCap survey invite and reminder email subject and email body/text. Move all this information into the REDCap survey. The subject will need to authenticate (log in) to the survey before they can view and complete the survey. The respondent will log in to the survey by entering one or more known values for fields in the project (up to three) - e.g., last name, date of birth. These values must already be saved in the respondent's record in the project. Those values may have been entered or uploaded by a project user/admin or may have been entered on a previous survey by the respondents themselves.

3) Document Participant Encrypted Email Opt-Out: Study participants consent/agree to receive study related information via unencrypted emails (REDCap survey invites/reminders)

 
All text of outreach to subjects for clinical research, including emails, must be reviewed and approved by the IRB.

 

Contact EDC Support for questions about REDCap. 

Policy / References

PHRC IRB FAQ's about communication with research subjects

How do I get and document someone’s agreement to communicate by non-secure email?
Individuals may read or have read to them the following information, and then can agree by signing or verbally acknowledging that they agree to receive un-secured email. Researchers are required to document this agreement, including the date of the agreement, by noting it in research records, or retaining the participant’s a signature.

Required Warning Language: Before sending or responding to an unencrypted email message to an individual, the individual must acknowledge understanding of, and agreement to accept the risks as communicated to them via the following language (this language must be copied into an email response to an individual, or may be read over the phone to the individual, or an individual could agree by reading this in person and signing this or simply agreeing verbally):

“The Partners standard is to send email securely. This requires you to initially set up and activate an account with a password. You can then use the password to access secure emails sent to you from Partners HealthCare. If you prefer, we can send you “unencrypted” email that is not secure and could result in the unauthorized use or disclosure of your information. If you want to receive communications by unencrypted email despite these risks, Partners HealthCare will not be held responsible. Your preference to receive unencrypted email will apply to emails sent from this research group/study only.”

The IRB issued a statement on the use of REDCap and SEND SECURE via email on 13 Apr 2017

Subject: Important Updates from the Partners IRBs Regarding Informed Consent, Epic Research Notifications and REDCap Emails

Emails Sent via REDCap

Investigators continue to be confused about information security related to REDCap. REDCap links ARE secure BUT Email messages sent out via REDCap ARE NOT SECURE, unless you use the "Send Secure" option process in the subject line.

You may not send email messages that include medical content, diagnoses, study descriptors, medical questions, or any other PHI via REDCap, unless you additionally add "Send Secure" to the subject line.

Specific attention must be given to the email subject line, and text of the message. For example, you MAY NOT send a message saying "Depression study" in the subject line or in the body of the message: "Thank you for participating in the depression study. Here's the link to your weekly questionnaire: Secure Redcap Link to survey." You could potentially send a message to already enrolled subjects who previously signed a consent form, if that message contains NO PHI, for example: "Here is your weekly survey link: Secure Redcap Link to survey."

Thus, REDCap is generally NOT USEFUL for initial contact, recruitment, or outreach to subjects. We continue to see investigators confused about these nuances. All text of outreach to subjects for clinical research, including emails, must be reviewed and approved by the IRB. Recruitment plans must be detailed in your protocol.

For questions about REDCap, you may contact: Lynn Simpson MPH

For questions about recruitment of research subjects you may contact Elizabeth Hohmann, MD, Director and Chair, Partners IRBs.

Additional guidance on email security is anticipated in the near future, from the IRB, Partners Research Information Security, and the Privacy Offices.

 

Partners IS Email Security Policy

Encrypted email opt-out statement:

“4. Patient Encrypted Email Opt-Out

While it is the preference of Partners HealthCare that Patient Gateway or the Send Secure tool are used to send Confidential data to recipients outside the Partners firewall, patients may opt out of encrypted email communications if they had been advised of the risks associated with unencrypted email, and they indicate a preference to receive unencrypted email despite the risks.

Exception: Due to state law, email containing the following identifiers must always be encrypted, and patients may not opt-out of encrypted email containing:

            a. Social Security numbers; or

            b. Driver's license number or state-issued identification card number; or

            c. Financial account number, or credit or debit card number.

Partners Institutions communicating with patients via unencrypted email must develop institution-specific procedures regarding permitting patients to opt-out of unencrypted email,  including training for workforce members. All Institution-specific procedures must be approved by the Partners HealthCare Chief Information Security and Privacy Officer before they are implemented.”