Is REDCap HIPAA-compliant?
Yes, http://redcap.med.usc.edu/ is HIPAA compliant. However, it is entirely up to how you manage your study to ensure that compliance is maintained. For DHS data transfers, the Principal Investigator should assume responsibility and NOT use Keck RedCAP to register/transfer such DHS data.
How is REDCap HIPAA Complaint?
REDCap is server software. Be mindful that no software alone is truly compliant with any standard. It is the environment into which software is installed that can be called compliant. REDCap (http://redcap.med.usc.edu/) is physically housed and maintained within the Keck technical environment.
The ‘environment’ also includes the policies and procedures of the individual study team(s) and folks maintaining the physical hardware on which data is stored. So ‘compliance’ involves how the software is installed, maintained, and supported – such things as what server settings are used by Keck, how servers are tested and maintained, how often data is backed up, how passwords are controlled, etc.
For more information on the Keck servers and databases used to support REDcap, please refer to these two documents or you may reach out to Keck IS direct regarding their technical landscape:
REDCap is accessible only by USC Net ID. USC Net ID accounts are only provided to USC or CHLA, staff, faculty, and students. Research affiliates can obtain an IVIP for REDCap use if sponsored by one of the approved by the study P.I.
REDCap uses Shibboleth for Net ID authentication into the application. For more questions about Shibboleth, please contact Keck IT.
Maintaining Security Compliance
It is the responsibility of the study PI, and study staff, to ensure that all aspects of REDcap use (guest users, user rights, data access, and data management) comply with the study's approved IRB protocol.
Please refer to REDCap user rights, user roles, data access groups and how to mark a field as identifying information to understand how to control the data flow for your individual project.
Additionally, all REDCap projects are subject to the applicable USC Information Security Policies and Standards found here: https://infosec.usc.edu/information-security-policies/.
Please always refer directly to USC Information Security for the most current documentation.