REDCap and Vanderbilts Human Research Protection Program VHRPP

REDCap and Vanderbilt’s Human Research Protection Program (VHRPP)

Overview of VHRPP uses for REDCap ■ What is important to the IRB in terms of data storage and security? ■ Committees’ Charge with regard to protection of data and how REDCap impacts that role. ■ Confidentiality issues surrounding data collection and the protection of that data. ■ Routine collaboration between VHRPP and Office of Research Informatics involving other projects such as Dynamic Data Pull (DDP), E-Consent, Research Derivative (RD).

Why does VHRPP care about data storage and security? ■ VHRPP supports the work of the IRB and provides HRPP Oversight. ■ VHRPP serves as the privacy board for research which means – All research data should be used, stored, and/or disclosed according to HIPAA regulations. – Adequate privacy measures to maintain confidentiality of research participants and their data.

How REDCap impacts the Committees’ reviews Vanderbilt IRB Considerations REDCap • Web application specifically designed to support data capture of research studies • Allows users to build and manage online surveys/databases securely • Compliance with HIPAA standards and 21 CFR Part 11 • Password protected • Secure Data storage

Unencrypted Laptops/Mobile Devices and potential consequences ■ Concentra Health Services – Theft of an unencrypted laptop from their facility – Encryption was in process but not complete. – Concentra agreed to pay HHS Office of Civil Rights (OCR) $1, 725, 000 to settle potential violations and a corrective action plan. ■ QCA Health Plan, Inc. – Theft of unencrypted laptop containing e. PHI of 148 individuals stolen from staff member’s car. – Lack of compliance with HIPAA privacy rule – QCA agreed to pay $250, 000 with ongoing compliance reporting and education for staff.

What could really happen to my research data? VHRPP has received reports over the years of lost/stolen mobile devices. • Flash drive dropped down an elevator shaft. • Flash drive lost on a beach while researcher was on vacation. • Stolen laptop that contained unencrypted data.

Ongoing collaboration for a number of other projects. • Committee Education when requested • E-consent model developed with RSS and managed through REDCap. • Dynamic Data Pull • Research Derivative • IRB Wizard Application

Sources ■ (News: Stolen laptops lead to important HIPAA settlements, 2016) ■ HRPP Policy X. A. and X. A. 1.

QUESTIONS? For more information, contact our office at 615 -322 -2918 or visit our website at https: //www 4. vanderbilt. edu/irb/