REDCap: FAQ

Is REDCap free to use?

Yes. UofL has a license agreement with REDCap and is able to give accounts to UofL researchers.

Is REDCap HIPPA-compliant?

REDCap is definitely capable of compliance with just about any standard – for example, HIPAA, Part-11, and FISMA standards (low, moderate, or high). Each of those standards has been used across various consortium sites, as well as other standards (including similar international regulations, like GDPR).

REDCap is server software. Be mindful that no software alone is truly compliant with any standard. It is the environment into which software is installed that can be called compliant.

Can anyone at UofL get a REDCap account?

No. REDCap accounts can be issued to faculty and long-term staff. Residents, fellows, graduate students, and other "non-permanent" positions are not eligible for their own accounts. However, they are able to get an account through sponsorship by a faculty member or long-term staffer.

How do I get started?

If you want to learn more about getting a REDCap account or see a demonstration, please contact the Kornhauser Library REDCap Support Team (redcap@cardmail.louisville.edu).

 

Is REDCap 21 CFR Part 11 Compliant?

REDCap is 21 CFR Part 11 ready, but must be implemented in conjunction with appropriate procedures, documentation, and qualifications. Compliance depends on the setting, which includes both the technical aspects of the installation and maintenance, quality requirements [Implementation Quality (IQ) – Operational Quality (OQ) – Production Quality (PQ)], as well as the essential processes put in place by users.

To be clear, 21 CFR Part 11 compliance requires compliance on two fronts: (i) the UofL side, which includes REDCap as managed by the Kornhauser Health Sciences Library (KHSL) in cooperation with UofL ITS, and (ii) the user side, which includes all REDCap users.

Operationally, UofL has provided a secure environment for the operation of REDCap instances, by installing REDCap on UofL ITS certified equipment, and by providing the following services to maintain REDCap:

1. All REDCap instances are backed up daily by standard ITS processes.
2. All REDCap instances are secured by Secure Socket Layer (SSL) certificates managed by UofL ITS.
3. UofL ITS performs scheduled weekly server operating systems (OS) with vendor security patches and upgrades.
4. The KHSL REDCap Administration team performs scheduled REDCap software upgrades via the UofL IT Change Management process.
5. All new (and returning) REDCap users are required to take an offline asynchronous onboarding process where they learn about REDCap and sign a computer usage agreement before gaining access to REDCap.
6. All REDCap users must have an active (i.e., active employee or enrolled student) UofL computer account, or have a sponsored computer account that was requested by a UofL department.
7. All REDCap users are authenticated via UofL's Central Authentication System (CAS)--REDCap does not store passwords.
8. All REDCap user accounts are automatically disabled if they have not logged into the system for 180 days or more, and those users must request to have their accounts reactivated via the KHSL REDCap website.
9. The REDCap system meticulously logs all changes, modifications, deletions, and additions to projects (and their corresponding instruments). Such logging details can be found in the REDCap Technical Overview document below.

Details about the general REDCap security features that may support 21 CFR Part 11 compliance can be found in the “REDCap Security Overview” document (listed below) as released by Vanderbilt University. 

On the user side, the individual user or study team is also responsible for ensuring compliance, and establishment and documentation of appropriate standard operating procedures for both technical and procedural compliance. Many of the activities encouraged by 21 CFR Part 11 are good practice in general, including explicit definition of study team roles and responsibilities, database change control and documentation, and record retention. Personnel training commensurate with responsibilities is also required.

FDA guidance on 21 CFR Part 11 compliance in the context of clinical studies is available on the FDA website here. Guidance documents are searchable, and the following are suggested:

(1) Part 11, Electronic Records; Electronic Signatures – Scope and Application, published 8/2003

(2) Computerized Systems Used in Clinical Trials, published 5/2007.

Vanderbilt University, the authors of the REDCap software, had a committee evaluate the Part 11 compliance status of REDCap. A PDF (created 19-Sept-2013) of their findings published on the Vanderbilt wiki page is available below.