Initial Considerations
The concept of data security and compliance is a combination of hardware and software, as well as user processes and procedures. The FDA has issued guidelines to provide recommendations to clinical investigators and others involved in the capture, review, and retention of electronic source data in FDA-regulated clinical investigations. The guidelines are intended to assist in ensuring the reliability, quality, integrity, and traceability of data from electronic source to electronic regulatory submission. This article is meant to help University of Utah researchers understand how REDCap is configured to support their studies in a protected and environment.
CTSI REDCap is operated in a HIPAA compliant environment.
The University of Utah REDCap instance is supported and maintained by the Center for Clinical and Translational Science Institute (CCTSCTSI) in the Center for High Performance Computing Protected Environment. The system is HIPAA compliant and deployed in the University of Utah Downtown Data Center where physical and network access is tightly controlled 24/7/365. Data is backed up nightly. Additionally, user and role-based permissions provide granular management of access to data records and functions. Reporting and audit controls follow HIPAA standard best practices.
CCTS REDCap is operated in a HIPAA compliant environment, however the controls have NOT been certified by a third party as 21 CFR Part 11 compliant.
...
.
Background information regarding 21 CFR Part 11 controls
...
According to FDA's 2007 Guidance for Industry Computerized Systems Used in Clinical Investigations:
If you are conducting a clinical trial and using computerized systems that contain any data that are relied on by an applicant in support of a marketing application, including computerized laboratory information management systems that capture analytical results of tests conducted during a clinical trial.
Applies to computerized systems that create source documents (electronic records) that satisfy the requirements in 21 CFR 312.62(b) and 812.140(b), such as case histories.
Applies to recorded source data transmitted from automated instruments directly to a computerized system (e.g., data from a chemistry autoanalyzer or a Holter monitor to a laboratory information system).
Applies to when source documentation is created in hardcopy and later entered into a computerized system, recorded by direct entry into a computerized system, or automatically recorded by a computerized system (e.g., an ECG reading).
-Does not apply to paper records submitted electronically (scanned, faxed copies)
What data is submitted to the FDA?
...
FDA-regulated research. Use of electronic systems, archiving, and retention of consent materials must meet the FDA “Part 11” requirements. The Part 11 regulations are separate from the FDA’s human subject regulations and have nothing to do with IRB review and approval. Part 11 compliance is the responsibility of the researcher.
The Part 11 requirements are outlined in the FDA Guidance for Industry: Part 11, Electronic Records; Electronic Signatures – Scope and Application (September 2003).
When will REDCap be 21 CFR Part 11 compliant?
...