While the REDCap environment controls implemented by ITCS keep your research and data safe, we ask that all users take an active role to ensure we continue to maintain our high level of security.
The HIPAA Security Rule defines the standards, which require covered entities to implement basic safeguards to protect electronic protected health information (EPHI), which is individually identifiable health information in the electronic form.
Privacy depends upon security measures: no security, no privacy.
HIPAA also mandates that covered entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect patients' electronic protected health information. This information may be in any electronic format that is stored or transmitted from devices such as desktop or laptop computers, networked systems, disks, CD-ROMs, hand-held device (PDAs), and other clinical-related devices.
Always think about the security of your data-only export when necessary. Take precaution when exporting data and only export data if you need to run reports or analysis outside REDCap. Limit user privileges to allow export rights only to those who really need them.
Note: REDCap is a web-based system. Once data is downloaded from REDCap to a device (ex: computer, laptop, mobile device), the user is responsible for that data. If the data being downloaded is protected health information (PHI), the user must be trained and knowledgeable as to which devices are secure and in compliance with ECU's standards (ex: HIPAA) for securing PHI.
Use the REDCap Send-It feature to send data-Send-It is a secure data transfer application that allows you to upload a file (up to 32MB in size) and then allow multiple recipients to download the file in a secure manner. Each recipient will receive an email containing a unique download URL, along with a second follow-up email with the password (for greater security) for downloading the file. The file will be stored securely and then later removed from the server after the specified expiration date. Send-It is the perfect solution for anyone wanting to send files that are too large for email attachments or that contain sensitive data.
At ECU, we are committed to protecting our patients' privacy and maintaining our organization's security of information. We continue to comply with the HIPAA rule and maintain the confidentiality, security, and integrity of our patients' health information. Note: If you have a question about HIPAA or wish to report a privacy concern, please call: 744-5200 or email:
Source: U.S. Department of Health and Human Services National Institutes of Health (2017).
Retrieved from https://privacyruleandresearch.nih.gov/pr_08.asp
When you are creating project fields in your data collection instrument, remember the 18 HIPAA Identifiers. If your field label uses identifying information, make sure you choose
YES next to Identifier. This will be important when you are ready to export your data. All fields tagged as identifiers will be marked in red.
Please Note: REDCap is a web-based system. Once data is downloaded from REDCap to a device (computer, laptop, mobile device), the user is responsible for that data. If the downloaded data is protected health information (PHI), the user must be trained and knowledgeable as to which devices are secure and in compliance with ECU's standards (like HIPAA) for securing PHI.
The User Access Dashboard is a reporting tool designed to assist in the management of users granted access to one or more REDCap projects. If you can view this dashboard, you have User Access Dashboard rights to at least one project.
It is recommended you access the User Access Dashboard monthly to review users who have access to any projects. This list can be filtered by project status or project purpose.
If a user no longer requires access to a project, you should
Click the button at the bottom of the page to implement changes, which take effect immediately.
Access updates may still be done within individual projects, but the User Access Dashboard tool streamlines the process.
Also see role descriptions and user rights information
Once a project is completed: