Security & Compliance

Security-centric features

In addition to system-level security, REDCap makes it easy for you to be proactive and take measures to protect your data.

This includes:

  • User Rights -  comprehensive settings that allow you to control who has access to your data
  • Data Access Groups (DAGs) - allows you to restrict viewing of data within a database
  • Date Shifting - allows you to systematically adjust dates (via algorithm) to mask dates
  • Anonymous Surveys - features to support anonymous data collection through public surveys
  • Tagged Identifiers -allows you to tag data fields that contain identifiers and remove them during data export
  • Audit Trails - audit trails for tracking all data changes, exports and other activities
Computer with lock/key and REDCap logo

Boilerplate Language

The following Security Description can be incorporated into your data storage and protection plan.

Data for this study will be collected, recorded and stored using REDCap (Research Electronic Data Capture). REDCap is a secure, web application designed to support data capture for research studies. It includes features for HIPAA compliance including real-time data entry validation (e.g. for data types and range checks), a full audit trail, user-based privileges, de-identified data export mechanism to statistical packages (SPSS, SAS, Stata and R), and encryption.  Access to study data in REDCap will be restricted to the members of the study team with password-protected authentication.

The REDCap database and web server are housed on secure platforms behind the institutional firewall. REDCap meets the security standards for use with high risk data as set forth by the Yale Information Security Office.

REDCap (Research Electronic Data Capture) is a secure, HIPAA-compliant system originally developed at Vanderbilt (www.project-redcap.org) with collaboration from a consortium of worldwide institutional partners including Yale University and Yale New Haven Health (YNHH).

It has the following data security and protection features:

  • Role-based security with individualized access and permissions.
  • Enforced audit trail with verbose logging on all user activity.
  • Built-in data validation and data cleaning. 
  • Host-based firewalls, network proxy filtering, encryption, and institutional network isolation practices safeguard the application server, the database server, file systems, and web-based communications. 
  • Red Hat Enterprise Linux (RHEL), managed server aligns with IT security and compliance standards
  • Databases are hosted on MySQL Enterprise Edition, configured with high-availability replication to ensure data redundancy and automatic failover.
  • Robust backup schedule protects against the possibility of data loss or corruption.
    • Yale servers:  Full backups occur hourly over 24-hour period.
    • YNHH servers: Full database backups occur once daily, and incremental backups occur three times daily.  
  • Authentication and Authorization safeguards
    • Yale servers: Authentication uses encryption and integration with the Yale Active Directory, such that user passwords are never stored locally, and password strength and expiry meet University IT security policies. Multi-factor Authentication (MFA) protection through DUO access security platform.
    • YNHH servers:  Authentication is table-based, with monthly audit verification of active, valid Yale NetID. The password strength meets YNHH security standards and is set to a minimum password length of 9 characters, requires upper and lowercase letters, numbers, and special character. Passwords must be reset every 90 days. 
compliance image

Regulatory Compliance

All Yale/YNHH servers meets the requirements for storage of ePHI.  

The HIPAA Security Rule establishes the standards to protect electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity.  Contact the HIPAA Privacy Office for more information about the requirements for HIPAA compliance.  

The 21 CFR Part 11 Validated REDCap server at Yale New Haven Health can be used to store and process data that is subject to FDA regulations.  

To obtain access, submit a request through Data System Triage.  

REDCap is 21 CFR Part 11 ready. This means that REDCap meets the technical software specifications that are described in the regulations. However, in order to be fully compliant, the entire environment, i.e. the people, procedures, and documentation, must also follow the requirements found under Part 11 regulations. This includes validation procedures, documented standard operation procedures and processes from the REDCap support team AND the study team.

The University Servers (REDCap I and REDCap II) can be used to store and process data that is subject to GDPR.  To obtain access, submit a request through Data System Triage.  

The General Data Protection Regulation (GDPR) is a European law that established protections for privacy and security of personal data .  

Note: In order to be fully compliant, you (the Principal Investigator) and your institution (Yale University) must implement safeguards that comply with GDPR.  The University Privacy Office is available for assistance.

Secured for High Risk Data

REDCap systems are managed to meet the security requirements for collecting high risk data as set forth by the Yale Information Security Office.     

Yale Cybersecurity