This page summarizes general guidance about applying regulatory requirements to using REDCap and using various features in REDCap. For regulatory guidance not covered on this page and/or specific to the requirements of your study, please contact your IRB analyst. If you would like to consult with an OCTRI regulatory specialist, please contact the OCTRI Navigator Team at octri@ohsu.edu.

All software and applications used at OHSU, including REDCap, are subject to compliance policies and procedures. REDCap use must conform to policies from a number of entities that govern the collection and hosting of data. These include:

• All federal policies, as OCTRI is funded by the NIH and those funds support the administration and hosting of REDC
• OHSU Information Privacy and Security Policies
• Policies and guidelines from OHSU groups that govern research, including Research Development and Administration (RDA) and the OHSU IRB
• OCTRI's contract with Vanderbilt University, where REDCap was founded and is maintained

Please contact OCTRI Navigator (octri@ohsu.edu or 503-418-9790) if you have questions as to what may be allowable. 

Topics Covered

Boilerplate Language for Including REDCap in Your Protocol

The protocol should describe how the study team will using the REDCap software.  Some examples of the ways you might use REDCap include: data storage, data entry by study staff, survey distribution via email or text messaging, direct collection from participants and/or eConsent.

The protocol should explicitly state that OHSU’s instance of REDCap will be used (rather than a REDCap version at another institution).  If the study is multi-site the data should be stored at the Central  or Data Coordinating Center.

Example Boilerplate & Technical Information

Below is some example boilerplate and technical information that may be useful in the data security portion of a protocol. Note this language is not required.

Data for this project will be stored in OCTRI's installation of REDCap, a highly secure and robust web-based research data collection and management system.

Features of REDCap that protect participants' privacy and data security include:

• Physical Security: OCTRI's REDCap software is housed on servers located in ITG's Advanced Computing Center providing locked physical security
• Electronic Security: The REDCap servers are housed behind both the OHSU firewall and a second ACC firewall.  All transmissions of data from the application are encrypted over HTTPS with the industry standard TLS 1.2/1.3 protocol (AES 256-bit encryption).
• Controlled User Access: REDCap employs a robust multi-level security system that enables researchers to easily implement "minimum necessary" data access for their research staff, including specification of data fields that are identifiers. This feature includes “single click” ability to provide completely deidentified (removing all identified data fields and shifting dates) for analysis or other purposes.  User activities are logged to enable auditing of all data access.   Access is integrated with OHSU's network such that users who are also OHSU employees are authenticated against their OHSU network credentials. 
• Data Integrity: REDCap is jointly managed in accordance with OHSU Information Security Directives by ACC staff and members of OCTRI's Biomedical Informatics Program, ensuring fidelity of database configuration and back-ups.  User activities are logged to enable auditing of all data changes.

International Data Collection

There are many international regulations, such as GDPR which applies to collaborations with sites in the European Union (EU), the European Economic Area (EEA), and the United Kingdom (UK), governing the protection of data originating within other countries. Depending on the data that's being collected and the country of origin, additional regulatory and/or legal approval will be required to use REDCap, or the use REDCap will be precluded because the software cannot be set up to meet all of the requirements set out in the regulations. If your project involves collecting data from international partners or participants outside the US, contact the REDCap Team.

E-Consent using REDCap

If the project is using REDCap for e-consent:

• The protocol should describe using REDCap for e-consent.
• Refer the wiki page: 1 - Regulatory Considerations for E-Consent.
• E-consent guidance also applies to setting up an Information Sheet in REDCap. 

Essentially, setting up e-consent involves transforming the study physical or paper document that has been submitted to IRB for approval to an electronic form.

Other Agreements Requiring Participant's Signature

Other than consent, REDCap is not approved for digitizing forms that require legal oversight from the institution, such as the OHSU's agreement to release personal health information. 

Repositories with More than One IRB

Repositories in REDCap that are associated with multiple IRB's will need to contact octri@ohsu.edu for a consultation. By default, REDCap is designed for capturing data for a single protocol. The purpose of the consultation is to discuss the projects needs and which features may be utilized to accommodate data associated with more than one protocol, as well as identify any challenges.

Transferring a REDCap Project between Protocols

Review the following information to re-purpose a project for a different protocol than the one it was requested and approved for.

REDCap Project in Production

To re-purpose a project that is in production (and collecting real data) for a different protocol than the one it was approved for:

• Make a copy of the project (without data).
• Complete OCTRI's Resource Request form to submit the additional documentation about the project request.
• To transfer data from the original project to the new project:
  • Export data from the original project.
  • Ensure the data you have exported and want to transfer to the new project are a part of your IRB approved protocol.
  • Once the new project is moved to production, import the data.

REDCap Project in Development

To re-purpose a project in development for a different protocol than the one it was requested for, please contact redcap@ohsu.edu. We will need to make a determination about which of the following options apply to moving forward:

• REDCap Project Only Needed for New Protocol and Not Needed for Original Protocol it was Requested for:
  • Make a copy of the project.
  • Complete OCTRI's Resource Request form to submit the additional documentation about the project request.
  • Mark the original project as complete.
  • The REDCap Team will withdraw REDCap services for the original project.

OR

• REDCap Project Needed for both the Protocol it was Requested for and a New Protocol
  • Make a copy of the project.
  • Complete OCTRI's Resource Request form to submit the additional documentation about the project request.

Completed Project

To re-purpose a project that has been marked as completed and taken offline for a new protocol, contact redcap@ohsu.edu. If there are plans for including this data in a repository or new REDCap project, or using this project as a template for a repository or other type of REDCap project, please let us know as soon as possible so we can coordinate with you on the next steps. 

Using Surveys in REDCap

Email Invitations

The protocol should describe using email to send survey invitations and reminders, including the following details:

• Specify the number of reminders that will be sent for each invitation
• Include the content of survey email invitation(s):
  • Subject line
  • Message
    • Describe plans to personalize the message by embedding any identifiable information.

Messaging to Participants

All participant facing messaging related to sending out surveys to participants and collecting their response should be submitted to IRB for approval. This includes:

• Survey title(s)
• Survey instructions
• Survey completion message(s)

Piping Identifiable Information into the Survey

Modifying a survey to pipe in participant identifiable information should be described in your protocol.

Save & Return on Surveys Collecting Identifiable Information

The protocol should describe the mechanism that's been enabled for Save & Return, and if Login has been enabled, how login has been configured, i.e. what information the participant would be required to enter to log in.

Using Twilio REDCap Integration to Text Survey Invitations

Participant Consent Language from IRB 

After you join the study, you can choose to receive all future survey links and reminders by text message. If you choose this option, you are giving us permission to share your phone number with our vendor Twilio Inc. to send you these text messages.

We will limit the content of the text messages to general information such as survey links and reminders to complete your survey. Even so, these messages may contain information that you wish to keep confidential. Text messaging is not encrypted, messages can be intercepted by others, viewed by people who see your phone or sent to the wrong person, and may not be confidential.

If, at any point, you no longer wish to receive text messages from the study team, tell us by sending an email to [studyemail@ohsu.edu] or calling this number [xxx-xxx-xxxx], and we will stop sending you text messages.

Opt-in Language for Texting

Must be delivered to the participant and received by the study team in writing such as in a REDCap survey, e-mail to study team, letter, etc.

For REDCap survey use a radio button with the following label and two options.

I wish to receive text messages related to this study and am aware that OHSU cannot guarantee they will be confidential

• Yes, I agree
• No, I decline