REDCap Policies

Owned by Christopher Sorensen
Last updated: Apr 08, 2024
10 min read

All information pertains to REDCap Version 14 (REDCap v14).  REDCap Version 7 was decommissioned on 12/31/2023. If you need information about REDCap Version 7, please Submit a Ticket to REDCap Support.

1 WUSTL REDCap Instance and Servers | 2 User Account Requirements | 3 User Account Access | 4 REDCap Password Reset | 5 REDCap Projects | 6 Project Status | 7 IRB Approval | 8 User Rights | 9 Research Data

If this page does not load correctly, Clear you web browser’s cache. For example, you should see a list of hyperlinks different sections above this text. If they do not appear, or appear as full web URLs, please try to clear your browser's cache.

If you have questions about the information on this page or any other REDCap questions, please Submit a Ticket to REDCap Support.

WUSTL REDCap Instance and Servers

Each REDCap consortium member institution hosts its own separate and independent REDCap server instance.  The Institute for Informatics, Data Science, and Biostatistics (I2DB) hosts the WUSTL REDCap instance and maintains servers where REDCap data and metadata are stored.  Data stored in the WUSTL REDCap instance in Production Status are protected by multiple layers of security, running on Linux platforms configured for strict user permission policies. Our REDCap database is hosted on scalable cloud based services hosted in the WUSM secure network. User access is provided via an external secure web server.  All web communication between the user web browser and the web server is SSL encrypted. Further protections are provided via strict Linux permission configurations on the servers themselves. All database transactions for projects in Productions Status are continually backed to facilitate PITR (point in time recovery) methods and are stored for approximately 30 days. Uploaded files are stored on secure cloud services and are only accessible via the WUSM secure network.  Please note, while data are backed up on the production server, if you or anyone added to your project purposely deletes data, for example by deleting records, fields, or instruments, or changing variable names or multiple choice codes, there will be a fee associated with recovering data.

Access to the data and various systems are protected by WUSTL Key and password authentication in accordance with our University’s HIPAA policy.  Information regarding account, project, and data policies are below.

User Account Requirements

All REDCap users must have and use their own log in credentials.  Log in credentials for the WUSTL REDCap instance are an active WUSTL Key and password.  Accounts are not to be shared.  That means that you should NOT allow anyone else to work in REDCap while you are logged in to your account.  That person should log into their account with their WUSTL key on a different device in order to work in REDCap.  This includes external collaborators as well, e.g. you cannot create a single "External University REDCap Account" when collaborating with a study team at a single university.  Users having their own accounts helps improve the security and quality of research participant data stored in the WUSTL instance of REDCap.  This is because REDCap stores user activity in the Logging tool in order to 1) resolve data entry and collection issues and 2) assist with study audits.  Individual accounts are also a regulatory requirement by the university and you will not be considered in compliance if the requirement is not followed.  Also, if multiple users log in from a single REDCap account, the person who's information is attached to that account assumes all risk for any action taken by any user logged in with the credentials for that account.  For example, if someone logs into an account, makes a change to the project that causes data loss (e.g. deletes a field containing data), the person who's name and contact information associated with the account is responsible as that is the information tracked in the REDCap log.  

User Account Access

Anyone with a WUSTL Key and password can log in to https://redcap.wustl.edu/.  Users from external sites must receive a Guest WUSTL Key and Password.  In order for an external collaborator to receive a guest WUSTL Key, a Wash U "Sponsor" will need to complete the WUSTL Key Guest Account Request Form.  This form needs to be completed for EVERY external collaborator, not one form per site.  The "Sponsor" can be the project Principal Investigator (PI) or Project Administrator (PA).  A PA is generally a Research Coordinator, Program Specialist, Nurse Coordinator or other study team member that has the highest level User Rights on a project such as Project Setup, User Rights, and Data Access Groups (DAGs).  PI and PA are sometimes listed together in REDCap as PI/PA. 

Accounts will remain active as long as the user is associated with the university or the guest WUSTL Key is active.  Accounts of users departing the university will be suspended when the WUSTSL Key and password becomes inactive.  Users who change departments within Washington University do not have their accounts suspended so do not need to create a new account when they begin in the new department.  Please note, a guest WUSTL Key is not tied to an external collaborators institutional account meaning if they leave their current position, the guest WUSTL Key may remain active unless the "Sponsor" of the guest WUSTL Key alerts Wash U IT to deactivate the account.  It is important that you monitor external accounts and remove the user from projects if they are no longer working on the project.

Recommended Practice: PI/PAs should review the list of users on all REDCap projects at routine intervals.  We recommend doing this at least annually in the spring.  Students and other trainees are often added to projects temporarily so the conclusion of the spring academic semester is an excellent time to review the user lists of REDCap Projects.

REDCap Password Reset

If you are having issues logging into REDCap, please visit the WUSTL Connect page to manage your WUSTL Key and Password or submit a ticket to WashU IT at the WUIT-ServiceNow portal or by contact the WU IT Help Desk:  ithelp@wustl.edu or 314-933-3333.

REDCap Projects

The WUSTL Instance of REDCap is considered self-service.  If you choose to use REDCap to collect and store research data, the Principal Investigator of the research study assumes responsibility for the proper building and maintenance of the project in order to keep data in compliance with all university, funder, and other governing body requirements. REDCap is a software platform built and maintained by Vanderbilt University.  REDCap is designed so users (e.g. PIs, PAs, study team members) are able to build and maintain their own databases.  REDCap is a tool that does not require database administration, web development, or computer programming skills, however, projects can become large and complex quickly.  I2DB and Becker Medical Library provide basic support and training to assist you with your project (WUSTL REDCap Resources) as well as some services for a fee (Intake Form).  Given the nature of REDCap as a self-service system, we cannot guarantee we will be able to resolve all issues or find solutions for all desired needs that arise throughout the duration of your project.  It is important that you or someone on your study team have commensurate REDCap training and/or experience to match the complexity level of the project being planned and are comfortable maintaining the database under these conditions.  Please reach out to the REDCap Helpdesk or schedule a REDCap consultation if you have questions about whether REDCap is right for your project and study team before beginning a project.   

If the PI leaves the university, research data in a REDCap Project can be transferred only with prior approval from a Dean, Department Chair, or Director (as specified in the PI Departure Process).  If any other study team member leaves the university (another faculty member, student or trainee, etc.) they must be treated as an external collaborator.  First, the any individual leaving the university must still be on the research team in the approved IRB protocol to be given access to the Project in REDCap after leaving the university.  Then, they must receive a guest WUSTL Key and be added to the project with the guest WUSTL Key by a PA.

Project metadata (instruments, events, etc.) that does not contain PHI or other research data can be shared amongst collaborators as desired similar to sharing code, protocols, or other non-sensitive study materials.  

Project Status

Once a user with a WUSTL Key and password logs in to REDCap, they can begin creating REDCap Projects on the WUSTL REDCap Instance.  Projects are in Development Status by default when a project is created.  Development Status allows for easy building, testing, and modifying in order to tailor the project for the specific needs of your study.  Data collected and stored in a project that is in Development Status is not considered HIPAA compliant.  Therefore, collection and/or storage of PHI or other sensitive data ("real data") are not permitted while the project is in Development Status. In addition, data are not backed-up when the project is in Development Status so you are at risk of permanent data loss.  Projects must be moved to Production Status before collecting after the project has been thoroughly tested AND the IRB has approved the protocol for the study(ies) which data will stored in REDCap.  An IRB Approval Letter will be requested and required in order for the project to be moved to the production server.  Multiple REDCap Projects can be created for a single study as long as each is moved to Production Status and the IRB Approval Letter is uploaded for each individual REDCap Project.

Development Status

Development status is the default status when a project is created.  It allows for easy building, testing, and modification of REDCap projects.  Data in projects with development status are not HIPAA compliant.  Projects in development status allow 1) any project modifications in real time, 2) adding and deleting test records, 3) enabling any features that users are allowed to enable.  These features allow for comprehensive testing of a project prior to moving to production status.  Once a project has been tested and you are prepared to begin collecting data from real study participants, you must request that your project be moved to production status.  To do this, go to project setup, scroll to the bottom of the page, and click Move to Production Status.  You will be required to submit your IRB approval letter before the project is moved to production.  If your project is for operational support, you will need to provide IRB waiver and justification for use.

Production Status

Production status is intended for IRB-approved projects or projects with IRB waivers.  Project in Production Status are considered HIPAA compliant and can contain PHI and other study data ("real data").   Once project are in Production Status, data are continually backed to facilitate PITR (point in time recovery) methods and are stored for approximately 30 days. Please note, while data are backed up on the production server, if you or anyone added to your project purposely deletes data, for example by deleting records, fields, or instruments, or changing variable names or multiple choice codes, there will be a fee associated with recovering data.

It is important to note that you can still make modifications to your project in production status.  Some modifications may require administrator review in order to prevent data loss or project corruption.

IRB Approval

I2DB is not responsible for granting, approving, or waiving IRB project approvals.  We also are not responsible for determining whether a project is in compliance with an IRB protocol.  Please contact the HRPO and or the IRB with questions regarding IRB compliance.  WashU HRPO and IRB offer HRPO Help Services to provide guidance on:

  1. SWAT On-Call Service: 314-747-6800

  2. Virtual Office Hours

  3. IRB Consultation Request Form

All research projects on the Production server must obtain an IRB approval or waiver before the project will be granted access.  The Project PIs are responsible for ensuring that their project protocols allow for data capture, storage and retrieval on our REDCap instance.  HRPO’s recommendation is for Quality Improvement project researchers to contact the Expedited Review Manager and request a determination on what approval is needed for their data collection. Determinations are made on a case by case basis.  

User Rights

Access to the secure REDCap servers is provided in compliance with WUSM’s HIPAA guideline.  Each user is responsible for the security of their WUSTL Key and password.  All user access and user rights to individual REDCap Projects are controlled by the study team themselves.  From a technical perspective, when a REDCap project is created, the person who creates project is responsible for adding other study team members.  Study team members can be added with the ability to control other people's User Rights.  Anyone given the ability to control user rights is able to add or remove people from the project as well as control what specific tasks they can complete in REDCap.  The person who creates the project plus anyone added with the ability to control User Rights are responsible for the people who are added to that individual project.  From a compliance perspective, the Principal Investigators (PI) of the study is responsible for ensuring only appropriate individuals have access to the project.  For a research study, the PI is the person defined in the approved IRB protocol as the PI or Co-PI and appropriate study team members are those listed on the Research Team in the approved IRB protocol with proper regulatory training (e.g. CITI).  The PI also is responsible for ensuring all study team members who are using REDCap are properly trained for the tasks they will complete.  It is the responsibility of the PI and PA to restrict all user privileges to a level that they do not gain access to sensitive data to which they do not have proper approvals or to data which they are supposed to be blinded to.  It is the responsibility of the PI and PA to remove any users that leave the university or no longer work on the project.  

Research Data

Research data stored in REDCap is subject to the Washington University Research Data and Materials Policy.  If the PI leaves the university, research data in REDCap can be transferred only with prior approval from a Dean, Department Chair, or Director (as specified in the PI Departure Process).  If any other study team member leaves the university (another faculty member, student or trainee, etc.) they must be treated as an external collaborator.  First, the any individual leaving the university must still be on the research team in the approved IRB protocol.  Then, they must receive a guest WUSTL Key and be added to the project with the guest WUSTL Key by a PA.