Requirements for PHI

Securing Protected Health Information (PHI) and Sensitive Data Collection

CB2 provides a secure application of REDCap and has all the necessary physical and operational securities in place to meet or exceed Federal and State security and privacy regulation for data transmission and storage. However, REDCap is web-based application and the projects are managed by YOU the project user. This means your project data can be accessed by users for which YOU grant and restrict access. Your project will be accessed via the internet which means it can be accessed from anywhere, including outside the UA network.

These steps will allow YOU to collect PHI and sensitive data securely:

1. NEVER share your REDCap Username and password.

REDCap users MUST NOT share or reveal their authentication methods to others. Sharing usernames and passwords means the authorized user assumes responsibility for actions that another party takes within REDCap. Providing IDs or passwords to unauthorized individuals is a BREACH OF CONFIDENTIALITY and is grounds for disciplinary action.

2. Access REDCap ONLY:

  • on a secure network (ex: UA intranet, password protected wifi)
  • from a UA workstation or encrypted, UA-approved mobile device (laptop, iPad)

3.Grant access ONLY to staff, researchers, and external collaborators:

4. Flag PHI and Sensitive Data fields as "Identifiers = Yes"

Flag identifiers

Run the "Check for Identifiers" module to review all your project variables

Check for identifiers

5. Group all contact information required to engage the participant on a separate Data Collection Instrument

Restrict access to this instrument in the User Rights > Data Entry Rights

User rights menu

Grant "NONE" access to ALL users except those users who need this information to follow-up with the participant

Data entry rights

6. Grant "NONE" or "De-Identified" Export Access to project users.

De-identified export

Ensure that PHI sensitive data DOES NOT leave the secured REDCap database and is "accidentally" downloaded to a non-secured device