Guides & How-to’s

Want to learn how to build your own REDCap projects, data collection instruments, and surveys? Want to take your projects to the next level with branching logic, alerts and notifications, and survey scheduling? Want to make your REDCap projects more powerful and enhance the design of your surveys and instruments by using REDCap’s external modules?

REDCap’s streamlined process for rapidly creating and designing projects offers a vast array of tools that can be tailored to virtually any data collection strategy. It is designed as a self-service application, requiring no previous programming or database experience. Users are responsible for their own training – therefore we strongly encourage users to take full advantage of the free training materials and resources provided below. 

Please note: Your study materials dictate what and how data can be collected – this includes the usage of REDCap. Please refer to your approved study plan to determine if and how your project can utilize REDCap – this information can be found in the protocol, consent forms, IRB application, HIPAA authorization/waiver, data security assessment, etc. All projects must maintain valid IRB approval throughout their duration.

REDCap is specifically for Research Electronic Data Capture, thus should only be used for active data collection.  Once active data collection has ended, the project and its data need to be removed from the system. Therefore, you must have an external storage plan in place, which should be part of your IRB-approved plan. For more information: Managing Your Data.

New versions of REDCap are released frequently, so the videos and other training resources below may reflect earlier software versions and thus may look slightly different than your system. Refer to your REDCap software’s built-in prompts and instructional text for the most current information.

 

Getting Started | Best Practices | User Guide & Training Resources | Project DevelopmentLongitudinalIdentifiers | Modules & Customization | Surveys and ASI’sUsing Logic & Calculations | Action Tags | eConsent | Multi-Language Management | Double Data EntryProject Users | Data Access GroupMove to Production | Production Changes | Managing Your Data | External ModulesAPI |Mobile Applications | Mosio |Audit |NIH Data Sharing | Citing REDCap | Compliance

 


Getting Started

REDCap employs a streamlined process enabling you to rapidly develop a project:

  1. Learn more about REDCap and see if it will be an effective tool for your study. All project team members who will access and work in the UConn Health REDCap system must complete the Introductory Overviews, Basic Features & Functionality, and Project Types REDCap video training modules BEFORE requesting an account and using REDCap. All users are encouraged to view the additional REDCap training videos and guides and how-to’s below.
  2. Request a REDCap account. For more information: Project & Usage Eligibility and REDCap Account Request.
  3. CREATE your project in the REDCap Development system. If you need help creating a practice project, please see our step-by-step Practice Project guideIf you are ready to create your own, make sure you check out the guides below which offer more depth and specific how-to’s. 
  4. TEST your development project thoroughly.
  5. DEPLOY your project from development to the production environment and start collecting real data. IRB-approval required.

Best Practices
Before you get started, please review some general guidelines and best practices:


User Guide & Training Resources

Check out these resources to help you get started and gain a better understanding of the REDCap application and its functionality.


Project Development

Your IRB-approved protocol and data plan determines what data can be collected and how that data can be collected. The use of REDCap for the collection and storage of your data must also be part of that approved plan; this information can be found in the protocol, consent forms, IRB application, HIPAA authorization/waiver, data security assessment, etc. ALL project fields and forms/instruments should match the approved documents that have been reviewed and approved by the IRB. If your IRB-approved data collection and storage plan indicates that identifiers will be kept separate from the data collected (i.e. will not be stored with study data), then identifiers should not be collected/stored in the same project along with the data – and the consent project should not be stored in with the study project. It is the responsibility of the PI (as well as the study team) to ensure the collection and storage of identifiers, this includes signed consent documents, is consistent with the confidentiality plans described to the IRB in the application, protocol, consent, etc. Changes to the data collected and how it is stored are to be approved by the IRB prior to implementation.

Getting Started

Learn how to build and modify data collection instruments:

    When active data collection has end

    • How to Delete Your ProjectREDCap is a data collection tool and is not intended for long-term storage of study data. This guide describes how to delete a project from REDCap

     

    Allow plenty of time for project development, testing, and deployment. The REDCap Administrator has many responsibilities supporting the 600+ UCH REDCap users so there may be limits to the immediacy and type of support that can be provided.  If your project has a deadline by when it needs to be launched (moved to production), be sure to give at least two weeks in advance. This will allow plenty of time should any problems arise.


    Longitudinal

    The longitudinal project mode is a project setting that allows for forms and surveys to be used at multiple time points in the data collection process, removing the need to recreate the same instrument for each time point. This setting must be enabled prior to moving the project into production and cannot be changed afterward. The Longitudinal module allows any data collection instrument(s) to be completed multiple times for each record. The module uses an event grid to define clear time points used for data collection. 

    Be aware that for longitudinal projects, your data will look different when exported. If you have multiple events in your project, REDCap will export multiple rows for each record depending on how many events you have defined.


    Identifiers

    Are you using identifiers (names, emails, etc.) in your project? Make sure you read this Using Identifiers Guide.

    Please note: Your study materials dictate what data can be collected and how that data will be stored – this includes the usage of REDCap. Please refer to your approved study plan to determine if and how your project can utilize REDCap and what data can be collected and stored – this information can be found in the protocol, consent forms, IRB application, HIPAA authorization/waiver, etc. If your IRB-approved data collection and storage plan indicates that identifiers will be kept separate from the data collected (i.e. will not be stored with study data), then identifiers should not be collected/stored in the same project along with the study data. If the collection and storage of identifiers are necessary for your project, then make sure that it is part of your IRB-approved plan. It is the responsibility of the PI (as well as the study team) to ensure the collection and storage of identifiers, this includes signed consent documents, and is consistent with the confidentiality plans described to the IRB in the application, protocol, consent, etc. Changes to the data collected and how it is stored are to be approved by the IRB before implementation. If the IRB determined the research was Exempt, the PI should consult the IRB before making changes to ensure those changes do not invalidate the exemption.


    Modules & Customization


    Surveys, ASIs, and Alerts & Notifications

    Surveys are one of the main functions of REDCap and allow users to easily collect a variety of data from study participants. REDCap’s survey functionality also lets users send out surveys at particular times and/or to particular groups. Find out how to set these up and distribute today: Creating & Distributing Surveys and Survey Settings.

    For step-by-step guidance about setting up surveys, we highly recommend you use the Survey Wizard. This is an interactive online tool that addresses when to enable survey functionality, what to consider when choosing a survey model, and reviews survey setting options. Or watch this video on how to create and manage surveys. The Survey Wizard: Automated Survey Invitations (ASIs) addresses general ASI components and examples of different setups.

    For additional guidance, please check out: FAQs: Automated Survey Invitations and Survey Guide and ASI’s and Survey Queues.

    This flowchart describes the ways you can send out multiple surveys to participants at one time point or longitudinally, either using the Public Survey URL (anonymous) or using the Participant List (not anonymous).

    Collecting survey data in a repeating fashion can be done efficiently and with minimal setup by using a repeating survey, which is a survey that is enabled as a repeating instrument or (if a longitudinal project) a survey instrument utilized on a repeating event. For more information: Data Collection Strategies for Repeating Surveys.

     

    Survey Security and Integrity 

    Preventing fraudulent survey responses is critical to maintaining the credibility of your data. For tips, tricks, and recommendations, please see: Detecting and Preventing BOT and Fraudulent Survey Responses and Safeguarding REDCap Public Surveys: Tips to Prevent Fraud

    Adding CAPTCHA to your public surveys provides additional protection to prevent bots and safeguard your data. For more information: CAPTCHA.

     

    Notifications and Alerts

    If you wish to be notified via email every time a participant completes a survey, you can set up Survey Notifications. To set up Alerts & Notifications with greater complexity and more capabilities, check out: Alerts and Notifications

     

    REDCap Email Delivery

    When sending emails, ASIs, and alerts & notification, please see: Email Display Name and Address.


    Using Logic & Calculations

    Where in REDCap would you use logic? Logic can be used in branching, calculated fields, conditional logic for automated survey invitations, alerts, data quality rules, the survey queue, advanced filters for reports, and project dashboards. The format for the logic will depend on where you are using it in the project, the type of field, and how the project is set up (classic, longitudinal, repeating instruments). To learn more, check out:

    REDCap calculated fields allow for real-time calculations on data entry forms and surveys. REDCap supports the following mathematical operations within a calculated field: Addition Subtraction Multiplication Division. The DATEDIFF formula, which you may recognize from Excel, calculates the difference between two dates or date-times. For more information, check out this helpful guide: Calculated Fields.

    The Survey Guide for Simple and Complex Calculations in REDCap will walk you through various methods of using calculated fields in REDCap, ranging from very basic to extremely complex! The survey also does its best to provide the coded solutions to each example, if you’d like to recreate them in your own projects.

    The Build My Calculation Tool provides detailed explanations for common quantitative functions that can be created within REDCap and facilitates a custom-built calculation for your specific project. As you specify the different elements, you can see them being added to the calculation in real-time at the bottom of the survey page. Each element within the tool also contains information regarding what the function means, how it can be used, and step-by-step instructions for how to implement it in REDCap.

    *Original BuildMyCalc Tool created by Samantha Walkow at BC Children’s Hospital


    Action Tags

    Action Tags are an excellent way to customize the data entry experience for surveys and forms. They are special terms that begin with the ‘@’ sign that can be placed inside a field’s Field Annotation when adding or editing a field. Each action tag has a corresponding action that is performed for the field when displayed on data entry forms and survey pages.

    Check out our guide for a comprehensive list of currently available action tags, along with some dos and don’ts: Using Action Tags.


    eConsent & eHIPAA

    When utilizing REDCap for e-Consenting, the e-Consent Framework should be enabled. The e-Consent Framework allows for the digital capture and storage of participant consent, whether participants are consented in clinic or remotely. It provides standardized tools to obtain consent and store consent documentation with a certification screen and a storage function which automatically generates a “hard-copy” PDF of the signed form. The e-Consent Framework offers many options to allow customization to your specific needs and can be enabled for any survey in a project. You may optionally provide consent forms as either an inline PDF or rich text that will be displayed on the consent survey itself. The consent forms can be context-specific if you are using MLM languages and/or Data Access Groups so that it displays the correct consent form for a participant with a specific language set and/or assigned to a specific DAG.

     

    Please note: Your study materials dictate what data can be collected and how that data will be stored; this information can be found in the protocol, consent forms, IRB application, HIPAA authorization/waiver, etc. Your REDCap eConsent should be a mirror copy of your IRB-approved consent. If your IRB-approved data collection and storage plan indicates that identifiers will be kept separate from the data collected (i.e. will not be stored with study data) to ensure that data cannot be linked, then identifiers should not be collected/stored in the same project along with the data. It is the responsibility of the PI (as well as the study team) to ensure the collection and storage of identifiers, this includes signed consent documents, is consistent with the confidentiality plans described to the IRB in the application, protocol, consent, etc. Changes to the data collected and how it is stored are to be approved by the IRB prior to implementation. If the IRB determined the research was Exempt, the PI should consult the IRB before making changes to ensure those changes do not invalidate the exemption.


    Multi-Language Management

    Do you have survey participants or even project staff who speak and read in languages other than English? Want to make it easy to switch back and forth between languages in your REDCap surveys and forms? If so, then the new Multi-Language Management (MLM) feature might work for you project. Check out our MLM Quick Guide. For a more detailed overview, please see the Multi-Language Management Guide.

    For additional information, view these Multi-Language Management Training Videos:


    Double Data Entry

    Double Data Entry (DDE) is a module for entering data twice for each subject as a means of ensuring quality data collection by later comparing the records. This is an advanced feature and requires the REDCap Admin to enable it.

    To learn more, please review this thorough Data Double Entry Guide.


    Project Users

    User Rights Defined provides an in-depth explanation of the various user rights or permissions that REDCap offers. These rights can be set for an individual user, or by creating or editing a user role. For more information, including how to add users to your project, please see User Rights Management. Project users should be limited to approved study team members only and users should be given the minimum privilege rights necessary.  Please see our Recommended User Roles.


    Data Access Groups

    Data Access Groups (DAGs) can be used for multi-site projects. The Data Access Groups feature assigns users to groups. Any user in a Data Access Group may only access their group’s records. Each group is blinded to all other data/records. Users not in a group can access all data across all groups. This feature is especially useful for multi-site projects because each data collection site must usually be restricted from viewing other sites’ records.

    Data Access Groups Guide

    Data Access Group Training Video


    Move to Production

    Have you finished developing your project in development? Have you tested it thoroughly? Do you have IRB approval? Are you ready for your project to be moved to production? If so, follow the steps outlined in our guide: Moving Project to Production

    Allow plenty of time for project development, testing, and deployment. The REDCap Administrator has many responsibilities supporting the 600+ UCH REDCap users so there may be limits to the immediacy and type of support that can be provided.  If your project has a deadline by when it needs to be launched (moved to production), be sure to give at least two weeks in advance. This will allow plenty of time should any problems arise.


    Production Changes

    The PI and/or their designated project team are responsible for managing production changes. You need to ensure that project changes are within the scope of the data collection plan described in the approved protocol, and/or consult with the IRB to determine if additional approval is needed before you implement any changes.

    There are three mechanisms for making production changes that impact data collection:

    1. Modifying existing data collection forms or surveys.
    2. Adding new data collection forms or surveys.
    3. Modifying how the project is set up for collecting data and/or sending out surveys and collecting responses.

    To understand how best to move forward with making your changes, please review our guides thoroughly:

    *IMPORTANT: When a new instrument/form is added to a project that is already in production, all users will automatically have ‘No Access’ rights to the new instrument(s) by default. Users with high-level access of ‘User Rights’ will need to update the access for all project users or user roles who should have view/and or export access to the instrument once the project changes have been committed. Users with ‘No Access’ Data Viewing Rights for a given instrument will not be able to view that instrument for any record, nor will they be able to view fields from that instrument on a report. 


    Managing Your Data

    Data Exports and Reports
    Do you need to generate a report? Need to do routine backups of your project? Has data collection ended and are you ready to export your data? Use these helpful resources to determine how to manage your data.

    It is recommended that you routinely export ALL project data – in CSV/Microsoft Excel (raw data) format. If you also need it in another format (SPSS, SAS, R, etc.) make sure you export that as well. Additionally, you should download the data dictionary, codebook, ALL logging activities, project XML file (containing metadata & data); and download a PDF of data collection instruments containing saved data (all records). It is important to verify that everything exported successfully and that you are not missing any data/files.

    Please make sure you save all of your files. Also, make sure you adhere to your institution’s data security policies and your IRB-approved data collection and storage plan. If you need to request a secure data storage solution or need assistance in securing your data properly, please contact your local IT support.

    As a reminder, REDCap CANNOT be used for project or data storage beyond the active life of the project. Once active data collection has ended, your project files/data need to be exported then the project needs to be removed from the system. Once the data and project files (as noted above) have been exported/downloaded, go to the ‘Other Functionality’ tab and select ‘Request Project Delete’. For more information: Project Statuses and Project Life Cycle. Once the project is deleted from REDCap, its data is permanently removed from the system.

     

    Data Imports
    Need to import existing data into REDCap:


    External Modules

    External modules extend REDCap’s current functionality. They are customizations or enhancements that change REDCap’s existing behavior and appearance OR which create entirely new behavior or appearance.

    External modules are not official parts of the REDCap software. They are individual ‘packages’ of software that work within REDCap but are not truly part of the official REDCap code. They are not something that the REDCap consortium’s software development team has created or controls. Modules are add-on packages that, in most cases, have been created by software developers at other REDCap consortium partner sites. They were developed to do something specific for someone else’s project. These add-ons may do things that could be useful to other people, and that is why they have been made available to you as external modules. 

    No guarantee is available that a given module will actually work for your particular project. Modules are built on other REDCap systems and versions. Because they are not part of the official REDCap code, they are NOT necessarily designed to always work on every version of REDCap or in every possible project design. They also usually lack as much detailed instructional text and built-in prompts as official REDCap features. So expect a lot of trial-and-error to learn how they work and to configure them. Modules are provided as-is by their respective authors, for you to use at your own discretion.


    Mobile Applications

    The REDCap Mobile App and MyCap are two mobile applications that help extend REDCap’s functionality.

    The REDCap Mobile App is a tool for data collectors needing to capture data offline. Data can be collected on the REDCap Mobile App on an iPhone, iPad, or Android phone or tablet. Please review the REDCap Mobile App Guide. More details and documents about the mobile app can be found here.

    MyCap makes it easy for researchers to capture participant-reported outcomes using mobile devices. For more information, please review the MyCap Guide or visit: https://projectmycap.org/

    Not sure which platform to use? Let our REDCap Platform-Decision-Tree help to you decide.

    Mobile App Training Videos

    Please note: Your study materials dictate how data can be collected; the use of Mobile Applications must be part of your approved plan – this information can be found in the protocol, consent forms, IRB application, HIPAA authorization/waiver, etc.


    Mosio

    UCH REDCap supports integration with Mosio, a third-party messaging platform for researchers. You can use Mosio’s REDCap Direct with a UCH REDCap project to send research participants survey questions, alerts, and notifications via SMS text. The use of Mosio must be part of your IRB-approved protocol and data security assessment/plan.

    To use this feature, you must have a funded Mosio REDCap Direct account through Mosio. (You cannot use a free trial account.) For pricing information, see Order Mosio’s REDCap Direct. These fees are paid to Mosio directly and are above and beyond the UCH REDCap usage fees. For more information: Mosio Use in REDCap.

    To request that Mosio be enabled for your UCH REDCap project, contact us at redcap@uchc.edu.

    **The UCH REDCap team is NOT responsible for managing Mosio accounts or the costs associated with them, nor does the UCH REDCap provide support for this feature.


    API

    The REDCap Application Programming Interface (API) allows external applications to connect to REDCap remotely and is used for programmatically retrieving or modifying data or settings within REDCap, such as performing automated data imports/exports from a specified REDCap project. The REDCap API implements the use of tokens as a means of authenticating and validating all API requests that are received. Typically, the user on a REDCap project who works with API is someone who can write computer programming language (PHP, Perl, Python, Ruby, Java, R, and cURL are the most commonly used). If you do not know those languages, you will need to find someone in your department to help you. The REDCap administrative team does not write API code for its users. 

    To get started, please review: API Best Practices and Managing Data in REDCap-Reports, Exports, Imports, & API

    For more information on APIs, please see the API Page in REDCap (UCH REDCap account required to access).

    For additional online training: Using the REDCap API (open-access, do not need UCH REDCap account to access).

    The use of API must be part of your IRB-approved protocol and data plan. To request an API token, you must first make sure you have enabled API rights via User Rights. If you do not see the API token option in your REDCap project, then you must first update your User Rights – see Step 1 & 2 in API Best Practices (page 2-3). The REDCap Admin is not authorized to update individual User Rights.


    Data Monitoring / Auditing
    The Data Resolution Workflow allows users to open a workflow for documenting the process of resolving issues with data in the project (i.e. opening, responding to, and closing data queries). This functionality is helpful for projects that are working with monitors.

    For more information: Data Resolution Workflow


    NIH Data Sharing

    Does the project you are working on have a data sharing and archiving requirement with the NIH Data Archive (NDA)? If so, make sure you check this out and learn the best practices for handling your human subject’s data in a REDCap project for the purpose of reporting research data to the NDA.

    Using REDCap for NIH Data Archive

    Guidance for Preparing REDCap Data for NIH Data Archive Submission

    Check out these Webinars and Tutorials. Or go their main page for everything you may need to know NIMH Data Archive – NDA Home Page (nih.gov)

    UCH Academic IT Services (AITS) is offering a virtual training session on the DMPTool, a free, open-source, online application that provides a click-through wizard for creating a DMSP that complies with funder requirements. The class will also introduce research associates to the AITS DMS Website and provide guidance for navigating the plethora of on-line resources associated with data management. Classes will be held monthly: Register for a future session. For more information, contact: Academic IT Services at aits@uchc.edu.


    Citing REDCap

    REDCap users are asked to cite the publication below in study manuscripts. We recommend the following boilerplate language:

    Study data were collected and managed using REDCap electronic data capture tools hosted at the University of Connecticut Health Center1,2. REDCap (Research Electronic Data Capture) is a secure, web-based application designed to support data capture for research studies, providing: 1) an intuitive interface for validated data entry; 2) audit trails for tracking data manipulation and export procedures; 3) automated export procedures for seamless data downloads to common statistical packages; and 4) procedures for importing data from external sources.

    1 PA Harris, R Taylor, R Thielke, J Payne, N Gonzalez, JG. Conde, Research electronic data capture (REDCap) – A metadata-driven methodology and workflow process for providing translational research informatics support, J Biomed Inform. 2009 Apr;42(2):377-81. Link to article.

    2 PA Harris, R Taylor, BL Minor, V Elliott, M Fernandez, L O’Neal, L McLeod, G Delacqua, F Delacqua, J Kirby, SN Duda, REDCap Consortium, The REDCap consortium: Building an international community of software partners, J Biomed Inform. 2019 May 9 [doi: 10.1016/j.jbi.2019.103208] Link to article.


    Compliance: HIPAA, IRB, Security & Data

    UCH REDCap is NOT a 21 CFR Part 11-compliant system and should NOT be used for studies reporting to the FDA (i.e., IND, IDE, abbreviated IDE, etc).

    HIPAA

    Complying with HIPAA’s requirements is a shared responsibility. As such, UCH REDCap is a HIPAA-capable web platform, wherein its compliance depends on users adhering to best practices, such as limiting access to high-risk data and restricting data export. It is ultimately the PI’s responsibility to ensure all data collection and storage is conducted in accordance with their IRB-approved protocol and adhere to all institutional and regulatory policies and requirements.

    All users must complete the necessary institutional and federal regulatory training requirements according to their IRB of record (e.g., CITI Courses, HIPAA training), whether they are affiliated with UConn, UCH, or an external equivalent. Users must also follow guidelines for protecting high-risk data, regardless of their project’s data classification.

    UConn Health investigators are responsible for complying with all HSPP Policies and Procedures and Institutional Policies Related to Human Subjects Protections.

    UConn Investigators are responsible for complying with the Responsibilities of Research Investigators and UConn-Storrs’ HRPP SOPs.


    IRB

    Your study materials dictate what data can be collected and how that data will be stored – including its usage of REDCap. This information can be found in the protocol, consent forms, IRB application, HIPAA authorization/waiver, etc.  If your IRB-approved data collection and storage plan indicates that identifiers will be kept separate from the data collected (i.e. will not be stored with study data) to ensure that data cannot be linked, then identifiers should not be collected/stored in the same project along with the data. It is the responsibility of the PI (as well as the study team) to ensure the collection and storage of identifiers, this includes signed consent documents, is consistent with the confidentiality plans described to the IRB in the application, protocol, consent, etc. Changes to the data collected and how it is stored are to be approved by the IRB prior to implementation. If the IRB determined the research was Exempt, the PI should consult the IRB before making changes to ensure those changes do not invalidate the exemption.


    Platform Management and Security

    The REDCap platform is hosted on-premises at UConn Health and managed by Academic IT Services and the Clinical Research Center. All REDCap data is stored on UConn Health servers and secured according to HIPAA-mandated technical controls, including:

    • Firewall Protection: Data is protected within the IT data center with controlled physical access.
    • Routine Maintenance: Servers are regularly updated with the latest operating system and application patches.
    • Role-Based Access: Access to projects is restricted based on user roles.
    • Encryption: Data is encrypted during transmission. Data is NOT encrypted at rest.
    • Data Backups and Audits: Daily and monthly backups are conducted, and system events and logs are regularly audited. Data backups are stored on UCH servers and monthly backups are retained for 1 year.
    • Secure Remote Access: Access from outside the UConn Health network is provided securely via encrypted web connections.

    UCH REDCap is NOT a 21 CFR Part 11-compliant system and should NOT be used for studies reporting to the FDA (i.e., IND, IDE, abbreviated IDE, etc).

    UCH REDCap is a HIPAA-capable web platform, with compliance relying on users following best practices, policies, and established requirements.


    Data Collection and Management Features

    REDCap provides an intuitive interface for data entry with real-time validation rules, including automated data type and range checks. The platform supports data manipulation with comprehensive audit trails and reporting, and it includes an automated export mechanism to common statistical packages such as SPSS, SAS, Stata, and R/S-Plus. The application also allows users to identify and protect fields containing Personally Identifiable Information (PII) and/or Protected Health Information (PHI) through fine-grained user rights set by the study administrator. These rights control who can view, modify, or add data and forms. For more information, refer REDCap User Rights and Privileges. All user activities are system-logged and are available via a full audit trail.


    Data Collection and Best Practices for Collecting PII/PHI

    Your study materials—including the protocol, consent forms, IRB application, and HIPAA authorization/waiver—outline what data can be collected. Please review your approved study plan to ensure your project’s use of REDCap aligns with these guidelines.

    If your IRB-approved data collection and storage plan requires identifiers to be kept separate from the study data, they should not be stored within the same REDCap project. If storing identifiers is necessary, this must be clearly stated in your IRB-approved plan.

    The Principal Investigator (PI) and the study team are responsible for ensuring that the collection and storage of identifiers, including signed consent forms, comply with the confidentiality provisions described in the IRB application, protocol, and consent documents. Any changes to data collection or storage plans must be approved by the IRB before implementation. If your research has been determined exempt by the IRB, the PI should consult the IRB before making changes to ensure the exemption remains valid.

    REDCap projects should only collect PII/PHI when absolutely necessary, and data collection should be limited to what is required for the study.

    Users collecting PHI/PII in REDCap are responsible for ensuring compliance with HIPAA safeguards, including:

    • Using and disclosing only the minimum necessary PHI for the intended purpose
    • Ensuring that PHI/PII is seen only by those who are authorized to see it
    • Obtaining all necessary authorizations, data-sharing agreements, and Business Associate Agreements for using and disclosing PHI
    • Following any additional steps required by your unit to comply with HIPAA, IRB, and Institutional Policies and Procedures

    Users must agree NOT to use or store any of the following sensitive data in the UCH REDCap system:

    • Account numbers
    • Social Security number
    • Medical Record number
    • Mother’s Maiden names
    • Health Plan number
    • Certificate/license numbers
    • IP address
    • Financial/PCI data
    • Vehicle identifiers
    • Biometric ID
    • Full face/identifying photo
    • Audio & Video Files
    • HIPAA data not approved by the IRB protocol.
    • Data related to International Traffic in Arms Regulations (ITAR). ITAR control the export and import of defense-related articles and services on the United States Munitions List (USML).
    • Any other sensitive data sanctioned by federal, state, regional, and university regulations

    General Security Overview