Security & Compliance
REDCap@Yale is approved for collecting high risk data as set forth by the Yale Information Security Office.
REDCap Tools & Best Practices
In addition to system-level security, REDCap makes it easy for you to be proactive in taking measures that will help protect participant data.
This includes:
- User Rights - REDCap provides comprehensive settings that allow you to control who has access to your data.
- Data Access Groups (DAGs) - REDCap allows you to restrict viewing of data within a database.
- Date Shifting - REDCap allows you to systematically adjust dates (via algorithm) to mask actual dates.
- Anonymous Surveys - REDCap has features to support anonymous data collection through public surveys.
- Tagged Identifiers - REDCap allows you to tag data fields that contain identifiers and remove them during data export.
- Audit Trails - REDCap has audit trails for tracking all data changes, form design changes, exports and other activities.
Boilerplate Language
The following language can be incorporated into your data storage and protection plan.
Note: This describes the data security for projects hosted on REDCap@Yale: REDCap I and II. This language may not accurately describe the technical specifications for projects hosted on the YNHH server. To identify the REDCap system you are using, see Contact Us: How do I tell where my project is?
Short Description: REDCap Security
Data for this study will be collected, recorded and stored using REDCap (Research Electronic Data Capture). REDCap is a secure, web application designed to support data capture for research studies. It includes features for HIPAA compliance including real-time data entry validation (e.g. for data types and range checks), a full audit trail, user-based privileges, de-identified data export mechanism to statistical packages (SPSS, SAS, Stata and R), and integration with the institutional Active Directory. Access to study data in REDCap will be restricted to the members of the study team with authentication through University NetID credentials.
The REDCap@Yale database and web server are housed on secure platforms that are backed up daily. REDCap@Yale meets the security standards for use with high risk data as set forth by the Yale Information Security Office.
Long Description: REDCap Security
REDCap (Research Electronic Data Capture) is a secure, HIPAA-compliant system originally developed at Vanderbilt (www.project-redcap.org) with collaboration from a consortium of worldwide institutional partners including Yale University.
REDCap@Yale has the following data security and protection features:
-
Authentication uses the Yale Active Directory encrypted with Kerberos via SLDAP, such that user passwords are never stored locally, and password strength and expiry meet Yale University IT security policies.
-
Multi-factor Authentication (MFA) protection through DUO access security platform.
-
Role-based security with individualized access and permissions.
-
Enforced audit trail with verbose logging on all user activity.
-
Built-in data validation and data cleaning.
-
All web-based communications are protected by the Yale enterprise firewall and encrypted with TLS.
-
Both host-based firewalls and institutional network isolation policies safeguard the application server, the database server, and file system used to store data. Network proxy filtering and other institutional safeguards allow for only limited access directly to servers.
-
Daily back-ups and incremental snapshots ensure against the possibility of data loss or corruption.
-
Red Hat Enterprise Linux (RHEL), managed server configuration that conforms to best practice and compliance standards.
21 CFR Part 11 Compliance
GDPR Compliance
HIPAA Compliance