Click on the magnifying glass to the right. Starting typing a topic you wish to learn about
REDCap Security and Compliance
- Mary Irion
- Alyssa Hill
- Randy Madsen
Initial Considerations
The concept of data security and compliance is a combination of hardware and software, as well as user processes and procedures. This article is meant to help University of Utah researchers understand how REDCap is configured to support their studies in a protected environment.
CTSI REDCap is operated in a HIPAA compliant environment.
The University of Utah REDCap instance is supported and maintained by the Clinical and Translational Science Institute (CTSI) in the Center for High Performance Computing Protected Environment. The system is HIPAA compliant and deployed in the University of Utah Downtown Data Center where physical and network access is tightly controlled 24/7/365. Data is backed up nightly. Additionally, user and role-based permissions provide granular management of access to data records and functions. Reporting and audit controls follow HIPAA standard best practices.
Background information regarding 21 CFR Part 11 controls
What is 21 CFR Part 11?
Title 21 Code of Federal Regulations governs Food and Drugs. Part 11 is the Food and Drug Administration (FDA) guidelines that sets forth the criteria under which the Agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. This regulation, which applies to all FDA program areas, was intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the public's health.
Code of Federal Regulations Title 21
Guidance > Part 11, Electronic Records; Electronic Signatures — Scope and Application
Guidance > General Principles of Software Validation
Guidance > 2007 Guidance for Industry Computerized Systems Used in Clinical Investigations
Guidance > 2013 Guidance for Industry: Electronic Source Data in Clinical Investigations
Electronic Submissions Guidance > Sortable listing of Electronic Submissions Guidances
What does compliance validation mean?
Performing a software validation entails documenting that a system operates in an expected and predictable manner. This is done to document the system meets compliance requirements. As PHI is collected and stored by systems like REDCap, it is important to document and test the system to demonstrate control over the data. Testing must include software, hardware and user / study procedures.
Is the REDCap platform 21 CFR Part 11 capable?
REDCap has the features necessary to serve as the database component of a 21 CFR Part 11 compliant study. However, the software must be placed in an environment with servers, security, personnel, policies, procedures, training, validation and documentation meeting the requirements of Part 11 and the predicate rules for the underlying legislation. An FDA auditor will review all of this documentation to determine AT THE PROJECT LEVEL if a study is compliant.
When do I need to be 21 CFR Part 11 compliant?
According to FDA's 2007 Guidance for Industry Computerized Systems Used in Clinical Investigations:
If you are conducting a clinical trial and using computerized systems that contain any data that are relied on by an applicant in support of a marketing application, including computerized laboratory information management systems that capture analytical results of tests conducted during a clinical trial.
Applies to computerized systems that create source documents (electronic records) that satisfy the requirements in 21 CFR 312.62(b) and 812.140(b), such as case histories.
Applies to recorded source data transmitted from automated instruments directly to a computerized system (e.g., data from a chemistry autoanalyzer or a Holter monitor to a laboratory information system).
Applies to when source documentation is created in hardcopy and later entered into a computerized system, recorded by direct entry into a computerized system, or automatically recorded by a computerized system (e.g., an ECG reading).
-Does not apply to paper records submitted electronically (scanned, faxed copies)
What data is submitted to the FDA?
Applicants typically submit study reports, which describe the study protocol, the data collected, the analyses performed, the results of those analyses, and the conclusions of the study. Also accompanying the study reports are the case report forms (CRFs), and the study data as case report tabulations (CRTs) and analysis datasets.
CRFs are the forms used by the clinical investigator to document the collected data. The CRTs are aggregate (i.e., data from multiple subjects grouped together) listings of all the data collected on the case report forms.
CRFs and CRTs allow the Agency to perform an independent analysis of the study data. FDA may perform its own independent analyses of study data to assess the effectiveness and safety of investigational products. Analysis datasets are a subset of all data collected in the study and are the critical dataset to support the primary study analyses contained in the study report.
FDA-regulated research. Use of electronic systems, archiving, and retention of consent materials must meet the FDA “Part 11” requirements. The Part 11 regulations are separate from the FDA’s human subject regulations and have nothing to do with IRB review and approval. Part 11 compliance is the responsibility of the researcher.
The Part 11 requirements are outlined in the FDA Guidance for Industry: Part 11, Electronic Records; Electronic Signatures – Scope and Application (September 2003).
When will REDCap be 21 CFR Part 11 compliant?
The FDA does not provide an overarching determination of compliance. Even after a successful audit of a study using REDCap, it will only apply to that specific study, in that a REDCap project could be used in compliance.
Sources:
REDCap Consortium Regulatory and Software Validation Committee (REDRSVC)
Food and Drug Administration (FDA)
Duke Translational Medicine Institute (DTMI) REDCap Validation Documentation
Cincinnati Children's Hospital Medical Center (CCHMC)