Guides & How-to's | Clinical Research Center

Want to learn how to build your own REDCap projects, instruments, and surveys?

Ready to take your projects to the next level with branching logic, alerts & notifications, and survey scheduling?

Looking to enhance your surveys and forms using REDCap’s advanced internal features?

REDCap offers a streamlined, self-service process for rapidly creating and designing projects, with tools that can be tailored to virtually any data collection strategy. No programming or database experience is required.

Because UCH REDCap is a self-service application, users are responsible for their own training. We strongly encourage you to take advantage of the free training materials and resources provided below to get the most out of the platform.

Note: New versions of REDCap are released frequently. Some training resources may show earlier versions of the software, so screens and options may look slightly different from your system. For the most current guidance, refer to REDCap’s built-in prompts and instructional text.

Getting Started with REDCap

REDCap employs a streamlined process that allows you to rapidly design, test, and launch your project:

Learn –
- Find out more about REDCap to determine if REDCap is the right tool for your study.
- All project team members who will access and work in the UConn Health REDCap system must complete the following video training modules before requesting an account:
Request an Account –
- Review Project & Usage Eligibility and submit your REDCap Account Request.
Create –
- Build your project in the REDCap Development system.
  - New to REDCap? Use our Practice Project guide for a step-by-step walkthrough.
  - Ready to start your own? Use the guides below for detailed instructions and best practice.
Test –
- Thoroughly test your development project to ensure all functionality, branching logic, calculations, and permissions work as intended before going live.
Deploy –
- IRB approval is required before deployment to production.
- Submit a request to move your project from development to production so you can begin collecting real data.

Best Practices

Before you get started, please review some general guidelines and best practices:

REDCap General Guidelines
REDCap Best Practices

User Guide & Training Resources

Check out these resources to help you get started and gain a better understanding of the REDCap application and its functionality.

Project Development

Your IRB-approved protocol and data plan determine:

What data can be collected.
How that data can be collected and stored.

The use of REDCap for data collection and storage must be included in your approved plan. This information is documented in your protocol, consent forms, IRB application, HIPAA authorization/waiver, data security assessment, and other study materials.

Key Requirements

All project fields, forms, and instruments in REDCap must match the documents reviewed and approved by the IRB.
If your IRB-approved plan specifies that identifiers will be kept separate from study data, they must not be stored in the same REDCap project as the study data.
- Example: Consent documents (with identifiers) should be stored in a separate, dedicated REDCap project—not within the main study project.
The PI and study team are responsible for ensuring all data collection and storage, including signed consent documents, follows the confidentiality provisions described in the IRB-approved materials.
Any changes to the type of data collected or how it is stored must be reviewed and approved by the IRB before implementation.

Getting Started

Project Creation Guide
Project Setup Page
How to Find Your Project PID
User Rights Management
Project Statuses and Project Life Cycle

Learn how to build and modify data collection instruments:

Introduction to Instrument Development
Instrument Development
How to Use Data Dictionary
Instrument Design / Online Designer / Data Dictionary FAQs
Adding Images to Fields and Multiple-Choice Options
Using Matrix Fields
Repeating Instruments and Events
How to use Piping
Field Embedding
Smart Variables
Development Project Testing: How-to Guide

When active data collection has end

How to Delete Your Project – REDCap is a data collection tool and is not intended for long-term storage of study data. This guide describes how to delete a project from REDCap

Longitudinal

The longitudinal project mode allows you to use the same forms and surveys at multiple time points during data collection—eliminating the need to recreate instruments for each visit or follow-up.

Key points

This setting must be enabled before moving your project into production and cannot be changed afterward.
The Longitudinal module allows any instrument(s) to be completed multiple times for each record.
Data collection time points are organized in an event grid, which provides a clear, structured timeline for your project.

Resources for Longitudinal Projects

Longitudinal Project Development Guide
Data Entry for Longitudinal Projects
What are ARMs? Understanding how to separate groups or study tracks.
Repeatable Instruments & Events For complex longitudinal setups.
Video Tutorials: Multiple Arms
- Overview and Setup
- Designating Instruments
- Scheduling Module
- Screening ARMS.

Data Export Considerations

When exporting data from a longitudinal project, be aware that:

Each event generates its own row for each record.
If your project has multiple events, the exported dataset will contain multiple rows per participant, one for each defined time point.

Identifiers

Are you using identifiers (names, emails, etc.) in your project? Make sure you read this

Are you collecting identifiers (e.g., names, email addresses, phone numbers, etc) in your project? If so, you must read the Using Identifiers Guide before building or modifying your project.

Follow Your IRB-Approved Plan

Your approved study materials dictate:

What data can be collected.
How data can be stored and managed in REDCap.

This information is found in your:

Protocol
Consent forms
IRB application
HIPAA authorization/waiver
Data Security Assessment
Other IRB-approved documents

All data fields and instruments in your project must match the IRB-approved documentation.

When to Keep Identifiers Separate

If your IRB-approved data plan specifies that identifiers must be stored separately from study data, you must not store them in the same REDCap project.

Example: If consent documents contain identifiers, store them in a separate consent project, not in the main study project.

If Storing Identifiers Is Necessary

Confirm that identifier collection is explicitly included in your IRB-approved plan.
Ensure collection and storage are consistent with the confidentiality provisions described in your IRB-approved protocol, consent documents, and data plan.
- This includes signed consent documents and any other materials containing identifiers.

IRB Approval for Changes

Any changes to the type of data collected or how it is stored must be reviewed and approved by the IRB before implementation.
If your study is Exempt, consult the IRB before making changes to ensure you do not invalidate the exemption.

Randomization

The Randomization Module allows you to assign study participants to different groups (e.g., treatment vs. control) in a way that is unbiased and reproducible. It uses a pre-defined allocation table created outside REDCap (typically in Excel or a statistical package) and uploaded to the project.

Key points:

Setup: Must be enabled and configured before any randomization occurs.
Stratification: You can stratify assignments based on selected variables (e.g., site, gender) to ensure balanced group distribution.
Blinding: Access to the randomization setup and results can be restricted to protect allocation concealment.
Once Assigned, Always Assigned: Randomization assignments cannot be undone or changed, preserving study integrity.
Audit Trail: All randomization events are logged for compliance and tracking.

This module is typically used in clinical trials and other research studies where allocation bias must be minimized and group balance is critical.

Randomization Module
Randomization Module Setup Guide
Randomization FAQ – search Randomization

Internal Modules & Customization

REDCap offers a variety of optional modules and customizations that allow you to extend functionality beyond the core features. From streamlining data entry to adding specialized tools for complex studies, these modules can be enabled as needed to match your project’s workflow, compliance requirements, and research goals.

Our Optional Modules and Customizations User Guide provides an overview of the most commonly used modules—what they do, when to use them, and key considerations—so you can choose the right tools to enhance your REDCap project efficiently and effectively.

Surveys, ASIs, and Alerts & Notifications

Surveys are one of REDCap’s core features, allowing you to easily collect a variety of data from participants. Surveys can be sent at specific times and/or to specific participant groups, making them highly flexible for study needs.

Getting Started
For step-by-step guidance, we recommend the Survey Wizard – an interactive tool that covers:

When to enable survey functionality.
Considerations for choosing a survey model.
Available survey setting options.

Additional training resources:

Creating & Distributing Surveys
Survey Settings
Video : Survey Basics
Survey Wizard: Automated Survey Invitations (ASIs)
FAQs: Automated Survey Invitations and
Survey Guide and ASI’s
Survey Queues

This flowchart explains how to send multiple surveys at a single time point or longitudinally:

Public Survey URL – Anonymous responses.
Participant List – Non-anonymous responses.

Repeating Surveys
For repeated data collection, use:

Repeating Instrument – Same survey repeated multiple times.
Repeating Event – (Longitudinal projects only) survey used in multiple repeating events.

More info: Data Collection Strategies for Repeating Surveys.

Survey Security and Integrity
Maintaining data credibility is essential. Review these resources to prevent fraudulent responses:

REDCap Email Delivery
When sending emails, ASIs, and alerts & notification, please see: Email Display Name and Address.

Notifications and Alerts
If you wish to be notified via email every time a participant completes a survey, you can set up Survey Notifications. To set up Alerts & Notifications with greater complexity and more capabilities, check out: Alerts and Notifications

Using Logic & Calculations

Logic in REDCap allows you to control when and how data is displayed, calculated, or acted upon within your project. Whether you’re showing or hiding fields, triggering automated survey invitations, creating real-time calculations, or filtering reports, logic ensures your project behaves dynamically and efficiently. The way you write logic will depend on where it’s being used, your project type (classic, longitudinal, or repeating), and the types of fields involved. This section provides an overview of where logic can be applied, how calculated fields work, and links to tools and guides to help you get started.

Where you can use logic

Branching Logic, Calculated Fields, ASIs (Automated Survey Invitations), Alerts & Notifications
Data Quality Rules, Survey Queue, Advanced Report Filters, Project Dashboards

Logic varies by context

Classic vs. longitudinal (event-aware) vs. repeating instruments/events
Field types (use coded choice values like ‘1’, ‘2’)
Each area may use branching-style logic or report-filter syntax

Common operators
=, <>, >, <, >=, <=, and, or — fields like [age], choices like [consent]=’1′

Quick Links

Using Logic Guide
Branching Logic How-To Guide
Branching Logic FAQ
Calculated Fields
Survey Guide: Simple and Complex Calculations in REDCap
Build My Calculation Tool*

**Original BuildMyCalc Tool created by Samantha Walkow at BC Children’s Hospital.*

Action Tags & Smart Variables

Action Tags are an excellent way to customize the data entry experience for surveys and forms. They are special terms that begin with the ‘@’ sign that can be placed inside a field’s Field Annotation when adding or editing a field. Each action tag has a corresponding action that is performed for the field when displayed on data entry forms and survey pages. Check out our guide for a comprehensive list of currently available action tags, along with some dos and don’ts: Using Action Tags.

Smart Variables are a powerful way to make your REDCap projects more dynamic and efficient. They can automatically adapt to the current user, record, event, or context—saving you time and reducing errors. Our new guide walks you through what Smart Variables are, how they differ from regular field variables, and where you can use them for calculations, logic, and piping. In every REDCap project, you can find a link to more information about smart variables by clicking on the green “Smart Variables” button in the “Design your data collection instruments” box on the Project Setup page. You can also check out our REDCap Smart Variables Guide.

eConsent & eHIPAA

When obtaining participant consent electronically, the e-Consent Framework should be enabled. This framework is designed for the secure digital capture and storage of participant consent, whether participants are consented in clinic or remotely.

The e-Consent Framework provides standardized tools to:

Present study-specific consent materials in a clear, accessible format.
Capture participant signatures and relevant consent details electronically.
Automatically generate and store a certified PDF “hard copy” of the signed form.

Key Features & Options

Certification Screen: Confirms the participant’s understanding and intent prior to finalizing consent.
Customizable Display: Present consent content as either an inline PDF or rich text directly on the survey page.
Context-Specific Forms: When using Multi-Language Management (MLM) and/or Data Access Groups (DAGs), the framework can display the correct consent version for each participant’s assigned language and/or group.
Survey Flexibility: Can be enabled for any survey within your project, allowing you to integrate e-Consent into your existing study workflow.

By using REDCap’s e-Consent Framework, research teams can streamline the consent process, enhance accessibility for participants, and ensure that signed documents are securely stored in compliance with institutional and regulatory requirements.

Quick Links

Multi-Language Management

Do you have survey participants—or even project team members—who prefer to read and respond in languages other than English? The Multi-Language Management (MLM) feature makes it easy to provide your REDCap surveys, forms, and project interface in multiple languages, allowing users to seamlessly switch between them at any time.

With MLM, you can:

Offer translated versions of survey questions, field labels, instructions, and other project text.
Provide language-specific consent forms, instructions, and automated messages.
Enhance participant accessibility and engagement across diverse populations.

Whether your participants are completing surveys in clinic or remotely, MLM ensures they can interact with your project in the language they understand best—improving clarity, accuracy, and user experience.

Quick Links

Double Data Entry

Double Data Entry (DDE) is a specialized module that allows the same data to be entered twice for each subject—by two independent data entry users—so the entries can later be compared for discrepancies. This process helps ensure high-quality, accurate data collection by identifying and resolving inconsistencies before analysis.

Key Points

Advanced Feature: Must be enabled by a REDCap Administrator before use.
Two Independent Entries: Each record is entered separately by two different users.
Comparison & Reconciliation: A built-in comparison tool highlights mismatches for review and correction.
Use Cases: Ideal for studies where data accuracy is critical, such as clinical trials and regulatory submissions.
By requiring independent, duplicate entries, DDE provides an additional layer of quality control—helping safeguard your project’s data integrity.

To learn more, please review the Data Double Entry Guide.

Project Users

The User Rights Defined guide provides a detailed overview of the permissions available in REDCap and how they can be applied. Permissions can be assigned to individual users directly or managed more efficiently by creating and assigning Recommended User Roles—streamlining setup and ensuring consistency across your project team.

For step-by-step instructions on adding users to a project and managing their permissions, refer to the User Rights Management documentation.

Best Practices

Limit project access to approved study team members only.
Assign the minimum level of privileges necessary for each user’s role.

Ongoing User Oversight
It is the responsibility of the Designated Project Manager and/or Principal Investigator (PI) to:

Review access regularly – Confirm that only active, authorized team members have access.
Adjust permissions as responsibilities change.
Remove access promptly for users no longer involved in the project.

Following these practices helps maintain project security, data integrity, and compliance with institutional and regulatory requirements.

For more information, please visit the: Project User Management guide.

Data Access Groups

Data Access Groups (DAGs) are used to restrict data access in multi-site or multi-team projects. When a user is assigned to a DAG, they can view and edit only the records created within their group—ensuring each site or team remains blinded to all other groups’ data.

Key Points

Group-Based Access: Users in a DAG can only see their group’s records.
Blinding Between Groups: Records from other groups are hidden.
Unassigned Users: Users not assigned to any DAG can access all records across the project.
Ideal for Multi-Site Projects: Maintains confidentiality between sites while allowing centralized oversight by designated users.

Example Use Case
In a multi-site study, each site’s staff is assigned to its own DAG. This prevents them from viewing other sites’ participant data while still allowing the PI and central project team (unassigned users) to see the full dataset.

By implementing DAGs, you can protect participant privacy, maintain compliance with data-sharing agreements, and ensure each site only has access to its own records.

Quick Links

Data Access Groups Guide
Data Access Group Training Video

Move to Production

Step 1 – Plan Ahead
Allow ample time for project development, testing, and deployment before your intended launch date.

The REDCap Administrator supports 800+ UCH REDCap users, so immediate or last-minute support cannot always be guaranteed.
If your project has a fixed launch deadline, submit your move-to-production request at least two weeks in advance. This ensures:
- Adequate time for review and approvals.
- Opportunity to resolve any last-minute issues without delaying your launch.

Step 2 – Confirm Readiness
Before requesting to move your REDCap project to Production, ensure that you have:

Built and reviewed all project instruments and settings.
Tested thoroughly all features, workflows, and logic.
Obtained IRB approval.

If you can answer “yes” to all the above, you’re ready to proceed. For full details, see: Moving Project to Production.

Step 3 – Submit Your Request

Log in to your REDCap project.
Go to the Project Setup page.
Scroll down to the Move Project to Production section.
Click Move to Production and complete the on-screen confirmation form providing details about your project and IRB approval.
Submit your request for REDCap Administrator review.
Watch for an email confirmation once your project has been moved to Production

Production Changes

Once your project is in Production, the Principal Investigator (PI) and/or their designated project team are responsible for managing all changes. It is your responsibility to:

Ensure changes remain within the scope of the approved protocol’s data collection plan.
Consult with the IRB if there is any uncertainty about whether additional approval is required before implementing changes.

Types of Production Changes that Impact Data Collection
Production changes may include:

Modifying existing instruments – Updating or altering data collection forms or surveys.
Adding new instruments – Creating additional data collection forms or surveys.
Changing project setup – Adjusting how the project collects data, sends surveys, or stores responses.

How to Proceed
To determine the safest and most efficient way to make your changes, review the following resources:

Important Permissions Reminder
When a new instrument/form is added to a project in Production:

By default, all users will have No Access rights to the new instrument.
Users with “User Rights” privileges must update permissions for all applicable users or user roles.
Users with No Access to an instrument:
- Cannot view that instrument for any record.
- Cannot view fields from that instrument in reports.

Tip: Always review and update user permissions immediately after adding new instruments to ensure the correct team members can access and work with the new data.

Managing Your Data

Data Exports and Reports
Do you need to generate a report? Need to do routine backups of your project? Has data collection ended and are you ready to export your data? Use these helpful resources to determine how to manage your data.

We strongly recommend that you routinely export all project data in CSV/Microsoft Excel format (raw data). If your analysis requires another format (e.g., SPSS, SAS, R), be sure to export those versions as well.

Reminder: REDCap cannot be used for long-term project or data storage once active data collection has ended. When your project concludes, all data and project files must be exported and securely stored according to your IRB-approved data plan and institutional data retention policies.

Please download the following files for your records:

CSV/Microsoft Excel exports (raw data)
Any additional formats required for analysis (SPSS, SAS, R, etc.)
Data Dictionary
Codebook
Project XML files – both “Metadata Only” and “Metadata & Data”
PDFs of all data collection instruments with and without saved data (all records)
Full Logging Activity

These files are essential for recordkeeping, analysis, and for recreating your project if needed in the future.

Finally, please verify that all data and files have been successfully exported and that nothing is missing or incomplete. Be sure to save all exported files securely and in accordance with your institution’s data security policies and your IRB-approved data collection and storage plan.

If you need to request a secure data storage solution or require assistance with properly securing your data, please reach out to your local IT support team.

After exporting and saving your data (CSV, XML, Data Dictionary, Codebook, etc.), go to the ‘Other Functionality’ tab in your project and select ‘Request Project Delete’ to formally remove it from the system. Once deleted, all project data will be permanently erased and cannot be recovered.

For more information: Project Statuses and Project Life Cycle.

Data Imports

Need to import existing data into REDCap:

External Modules

External Modules extend REDCap’s functionality by adding custom features or enhancements. They can:

Modify REDCap’s existing behavior or appearance.
Create entirely new functions, layouts, or workflows.

Unlike official REDCap features, external modules are not developed or maintained by the REDCap Consortium’s core software team. Instead, they are created by developers at other REDCap partner sites, often to meet specific project needs. Some of these tools are shared so others can benefit from them.

Key Considerations

Not Official Features: External Modules are add-on packages that operate within REDCap but are not part of its core codebase.
Compatibility Not Guaranteed: Because they were developed for other systems, modules may not work on every REDCap version or in every project design.
Limited Documentation: They often have less built-in guidance than official REDCap features, requiring trial-and-error for configuration.
Use at Your Own Discretion: Modules are provided as-is by their original authors, with no guarantee they will function as intended in your specific project.

Before You Enable an External Module
External modules can be powerful tools to enhance your project, but they require careful testing before use—especially in production environments—to ensure compatibility, functionality, and data integrity.

Check Compatibility
Confirm the module is supported in your institution’s current REDCap version.
Review any known compatibility issues listed by the module’s developer.
Review Documentation
Look for installation notes, configuration instructions, and usage examples.
- If documentation is limited, plan to allow extra time for testing.
Test in a Non-Production Project
Enable and configure the module in a development or test project first.
Verify that it performs as expected without disrupting other functionality.
Assess Data Impact
Determine if the module changes how data is collected, stored, or displayed.
- If yes, confirm that use of the module aligns with your IRB-approved protocol (if applicable).
Plan for Ongoing Monitoring
Check module behavior after REDCap upgrades or changes in project setup.
Be ready to disable or adjust the module if issues occur.

Mobile Applications

The REDCap Mobile App and MyCap are two mobile applications that extend REDCap’s capabilities for data collection—especially in the field or when participant input is needed outside a traditional research setting.

REDCap Mobile App
Designed for offline data collection, the REDCap Mobile App allows data collectors to:

Capture data on an iPhone, iPad, or Android device without an internet connection.
Sync collected data back to the REDCap server once online.

Resources:

MyCap
MyCap is ideal for participant-reported outcomes and longitudinal data capture directly from participants’ mobile devices. It:

Allows participants to enter data at their convenience using their own smartphones or tablets.
Supports scheduled activities, surveys, and reminders.

Resources:

MyCap Guide
Project MyCap

Choosing the Right Platform
Not sure which option is best for your project? Use our REDCap Platform-Decision-Tree to determine whether the REDCap Mobile App, MyCap, or another REDCap feature is the right fit for your study needs.

Reminder: Your study materials dictate how data can be collected; the use of Mobile Applications must be part of your approved plan – this information can be found in the protocol, consent forms, IRB application, HIPAA authorization/waiver, etc.

Mosio

UCH REDCap supports integration with Mosio, a third-party messaging platform for researchers. You can use Mosio’s REDCap Direct with a UCH REDCap project to send research participants survey questions, alerts, and notifications via SMS text. The use of Mosio must be part of your IRB-approved protocol and data security assessment/plan.

To use this feature, you must have a funded Mosio REDCap Direct account through Mosio. (You cannot use a free trial account.) For pricing information, see Order Mosio’s REDCap Direct. These fees are paid to Mosio directly and are above and beyond the UCH REDCap usage fees. For more information: Mosio Use in REDCap.

To request that Mosio be enabled for your UCH REDCap project, contact us at redcap@uchc.edu.

**The UCH REDCap team is NOT responsible for managing Mosio accounts or the costs associated with them, nor does the UCH REDCap provide support for this feature.

API

The REDCap API allows approved external applications to connect to REDCap remotely to retrieve or modify data or settings within a project. It is often used for:

Automated data imports/exports from a specified REDCap project.
Integrating REDCap with other systems or applications.
Performing scheduled or programmatic data operations without manual interaction.

How It Works

The API uses tokens to authenticate and validate all requests.
API access requires programming knowledge in one or more common languages such as PHP, Perl, Python, Ruby, Java, R, or cURL.
The REDCap Administrative Team does not write or debug API code for users—if you are not a programmer, you will need assistance from a qualified team member in your department.

Requirements & Compliance

API usage must be included in your IRB-approved protocol and data plan.
You must have API rights enabled via User Rights before you can request an API token.
- If you do not see the API Token option in your project:
  - Update your User Rights as outlined in Steps 1 & 2 of the API Best Practices Guide

Getting Started
Review:

API Best Practices Guide
Managing Data in REDCap-Reports, Exports, Imports, & API
API Page in REDCap (UCH REDCap account required).
Optional: Take the open-access training Using the REDCap API (no UCH account required).
Confirm your IRB protocol includes API usage before requesting a token.

Tip: Always test your API calls in a development project before running them in production to avoid unintentional data changes or loss.

Data Monitoring / Auditing

The Data Resolution Workflow allows users to open a workflow for documenting the process of resolving issues with data in the project (i.e. opening, responding to, and closing data queries). This functionality is helpful for projects that are working with monitors.

For more information: Data Resolution Workflow

NIH Data Sharing

Does the project you are working on have a data sharing and archiving requirement with the NIH Data Archive (NDA)? If so, make sure you check this out and learn the best practices for handling your human subject’s data in a REDCap project for the purpose of reporting research data to the NDA.

Using REDCap for NIH Data Archive

Guidance for Preparing REDCap Data for NIH Data Archive Submission

Check out these Webinars and Tutorials. Or go their main page for everything you may need to know NIMH Data Archive – NDA Home Page (nih.gov)

UCH Academic IT Services (AITS) is offering a virtual training session on the DMPTool, a free, open-source, online application that provides a click-through wizard for creating a DMSP that complies with funder requirements. The class will also introduce research associates to the AITS DMS Website and provide guidance for navigating the plethora of on-line resources associated with data management. Classes will be held monthly: Register for a future session. For more information, contact: Academic IT Services at aits@uchc.edu.

Citing REDCap

REDCap users are asked to cite the publication below in study manuscripts. We recommend the following boilerplate language:

Study data were collected and managed using REDCap electronic data capture tools hosted at the University of Connecticut Health Center^1,2. REDCap (Research Electronic Data Capture) is a secure, web-based application designed to support data capture for research studies, providing: 1) an intuitive interface for validated data entry; 2) audit trails for tracking data manipulation and export procedures; 3) automated export procedures for seamless data downloads to common statistical packages; and 4) procedures for importing data from external sources.

¹ PA Harris, R Taylor, R Thielke, J Payne, N Gonzalez, JG. Conde, Research electronic data capture (REDCap) – A metadata-driven methodology and workflow process for providing translational research informatics support, J Biomed Inform. 2009 Apr;42(2):377-81. Link to article.

² PA Harris, R Taylor, BL Minor, V Elliott, M Fernandez, L O’Neal, L McLeod, G Delacqua, F Delacqua, J Kirby, SN Duda, REDCap Consortium, The REDCap consortium: Building an international community of software partners, J Biomed Inform. 2019 May 9 [doi: 10.1016/j.jbi.2019.103208] Link to article.

Compliance: HIPAA, IRB, Security & Data Management

Platform Management & Security
UCH REDCap is hosted on-premises at UConn Health and jointly managed by Academic IT Services and the Clinical Research Center. All data is stored on secure UConn Health servers and protected according to HIPAA technical controls, including:

Firewall Protection – Hosted within the IT Data Center with controlled physical access.
Routine Maintenance – Regular operating system and application patching/upgrades.
Role-Based Access – Project access is restricted by user roles.
Encryption – Data is encrypted in transit; data is not encrypted at rest.
Backups & Audits – Daily and monthly backups (retained for 1 year) and routine log audits.
Secure Remote Access – Off-campus access is provided over an encrypted web connection.

Note: UCH REDCap is not 21 CFR Part 11–compliant. It must not be used for FDA-regulated studies (e.g., IND, IDE, abbreviated IDE). Principal Investigators (PIs) are responsible for determining whether a 21 CFR Part 11–compliant system is required.

HIPAA Compliance
UCH REDCap is a HIPAA-capable platform, but compliance also depends on user practices. All users must:

Complete institutional and federal regulatory training per IRB of record (e.g., CITI Courses, HIPAA training) — whether through UConn, UCH, or an approved external equivalent.
Follow Protecting High Risk Data guidelines, regardless of project data classification.
Limit access to high-risk data and restrict exports to authorized users.
Ensure all data collection/storage complies with IRB-approved protocols and institutional/federal policies.
UConn Health investigators must follow HSPP Policies and Procedures and Institutional Human Subjects Protections. UConn-Storrs investigators must follow Responsibilities of Research Investigators and HRPP SOPs.

IRB Responsibilities
Your IRB-approved study materials (protocol, consent forms, HIPAA authorizations/waivers, etc.) dictate:

What data can be collected.
How and where that data may be stored.

PI and Study Team Responsibilities:

Ensure identifiers are stored in compliance with IRB confidentiality provisions.
Keep identifiers separate from study data when required by protocol.
Obtain IRB approval for any changes to data collection or storage.
Consult the IRB before making changes to an Exempt study to avoid invalidating the exemption.

Data Collection & Management in REDCap
REDCap offers real-time validation, audit trails, reporting tools, and export to statistical software (SPSS, SAS, Stata, R). Project administrators can restrict access to PII/PHI fields using granular user rights. All user activities are logged.

Best Practices for PII/PHI in REDCap:

Collect PII/PHI only when necessary.
Use/disclose the minimum necessary PHI for study purposes.
Limit access to authorized personnel only.
Obtain all necessary authorizations, data-sharing agreements, and Business Associate Agreements.
Comply with HIPAA, IRB, and institutional safeguards at all times.

Prohibited Data in UCH REDCap:

Do not store:

Account numbers, Social Security numbers, Medical Record numbers.
Mother’s maiden names, health plan numbers, certificate/license numbers.
IP addresses, financial/PCI data, vehicle identifiers, biometric IDs.
Full-face photos, audio/video files containing identifiers.
HIPAA data not approved by the IRB.
Data controlled under ITAR (International Traffic in Arms Regulations).
Any other data restricted by federal, state, regional, or university policy.