Security & Compliance

REDCap@Yale is approved for collecting high risk data as set forth by the Yale Information Security Office.     

REDCap Tools & Best Practices

In addition to system-level security, REDCap makes it easy for you to be proactive in taking measures that will help protect participant data.

This includes:

  • User Rights - REDCap provides comprehensive settings that allow you to control who has access to your data.
  • Data Access Groups (DAGs) - REDCap allows you to restrict viewing of data within a database.
  • Date Shifting - REDCap allows you to systematically adjust dates (via algorithm) to mask actual dates.
  • Anonymous Surveys - REDCap has features to support anonymous data collection through public surveys.
  • Tagged Identifiers - REDCap allows you to tag data fields that contain identifiers and remove them during data export.
  • Audit Trails - REDCap has audit trails for tracking all data changes, form design changes, exports and other activities.

Boilerplate Language

The following language can be incorporated into your data storage and protection plan.

Note: This describes the data security for projects hosted on REDCap@Yale: REDCap I and II. This language may not accurately describe the technical specifications for projects hosted on the YNHH server. To identify the REDCap system you are using, see Contact Us: How do I tell where my project is?


Short Description: REDCap Security

Data for this study will be collected, recorded and stored using REDCap (Research Electronic Data Capture). REDCap is a secure, web application designed to support data capture for research studies. It includes features for HIPAA compliance including real-time data entry validation (e.g. for data types and range checks), a full audit trail, user-based privileges, de-identified data export mechanism to statistical packages (SPSS, SAS, Stata and R), and integration with the institutional Active Directory. Access to study data in REDCap will be restricted to the members of the study team with authentication through University NetID credentials.

The REDCap@Yale database and web server are housed on secure platforms that are backed up daily. REDCap@Yale meets the security standards for use with high risk data as set forth by the Yale Information Security Office.


Long Description: REDCap Security

REDCap (Research Electronic Data Capture) is a secure, HIPAA-compliant system originally developed at Vanderbilt ( with collaboration from a consortium of worldwide institutional partners including Yale University.

REDCap@Yale has the following data security and protection features:

  • Authentication uses the Yale Active Directory encrypted with Kerberos via SLDAP, such that user passwords are never stored locally, and password strength and expiry meet Yale University IT security policies.

  • Multi-factor Authentication (MFA) protection through DUO access security platform.

  • Role-based security with individualized access and permissions.

  • Enforced audit trail with verbose logging on all user activity.

  • Built-in data validation and data cleaning.

  • All web-based communications are protected by the Yale enterprise firewall and encrypted with TLS.

  • Both host-based firewalls and institutional network isolation policies safeguard the application server, the database server, and file system used to store data. Network proxy filtering and other institutional safeguards allow for only limited access directly to servers.

  • Daily back-ups and incremental snapshots ensure against the possibility of data loss or corruption.

  • Secure configuration, Ubuntu CIS (Center for Internet Security), that conforms to best practice and compliance standards

21 CFR Part 11 Compliance

REDCap is 21 CFR Part 11 ready. This means that REDCap meets the technical software specifications that are described in the regulations. However, in order to be fully compliant, the entire environment, i.e. the people, procedures, and documentation, must also follow the requirements found under Part 11 regulations. This includes validation procedures, documented standard operation procedures and processes from the REDCap team AND the study team.
REDCap@Yale does NOT enforce the additional measures that are necessary to oversee a system that is fully compliant with 21 Part 11.

However, the Yale Center for Clinical Investigation (YCCI) DOES provide researchers access to a 21 Part 11 REDCap service hosted at Yale New Haven Hospital.  To request an account, contact YCCI


GDPR Compliance

The General Data Protection Regulation (GDPR) is a European law that established protections for privacy and security of personal data .  REDCap@Yale, can be used to store and process data that is subject to GDPR.
Note: In order to be fully compliant, you (the Principal Investigator) and your institution (Yale University) must implement safeguards that comply with GDPR.  The University Privacy Office is available for assistance.

HIPAA Compliance

REDCap@Yale meets the requirements for storage of ePHI.  Contact the HIPAA Privacy Office for more information about the requirements for HIPAA compliance.  The HIPAA Security Rule establishes the standards to protect electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity.