REDCap Policies

All information pertains to REDCap Version 14 (REDCap v14).  REDCap Version 7 was decommissioned on 12/31/2023. If you need information about REDCap Version 7, please submit a ticket.

If this page does not load correctly, Clear you web browser’s cache. For example, you should see a list of hyperlinks different sections above this text. If they do not appear, or appear as full web URLs, please try to clear your browser's cache.

If you have questions about the information on this page or any other REDCap questions, please submit a ticket.

WUSTL REDCap Instance and Servers

Each REDCap consortium member institution hosts its own separate and independent REDCap server instance.  The Institute for Informatics, Data Science, and Biostatistics (I2DB) hosts the WUSTL REDCap instance and maintains servers where REDCap data and metadata are stored.  Data stored in the WUSTL REDCap instance in Production Status are protected by multiple layers of security, running on Linux platforms configured for strict user permission policies. Our REDCap database is hosted on scalable cloud based services hosted in the WUSM secure network. User access is provided via an external secure web server.  All web communication between the user web browser and the web server is SSL encrypted. Further protections are provided via strict Linux permission configurations on the servers themselves. Uploaded files are stored on secure cloud services and are only accessible via the WUSM secure network. 

Access to REDCap, projects, data, metadata, etc., are protected by WUSTL Key and password authentication in accordance with Washington University policy.  Information regarding account, project, and data policies are below.

REDCap Back-ups and Copies

A REDCap project must be in production mode for any of the subsequent information about back-ups and copies to be relevant. There are no back-ups or copies of projects in development status. Maintaining projects and collecting real patient data in development status is not recommended. If you choose to do this, you are risking data loss and may be non-compliant with the Washington University Research Data and Materials Policy.

Continuous Back-ups: WashU REDCap back-ups are maintained to restore the entire REDCap database (all projects' data and metadata) following a major data loss event. Back-ups are not used to recover individual projects or data from an individual project. REDCap database transactions for projects in Productions Status (for example, data entry, project modifications, survey invitation logs, etc.) are continually backed-up to facilitate point in time recovery (PITR). The continuous back-ups are stored on a rolling 30-day basis. This means that 30 days of back-ups exist from a specific point in time at all times.

Nightly Copies: WashU REDCap projects in production mode are copied nightly with copies stored on a 30-day rolling basis. This means that 30 days of copies exist from a specific day at all times. These copies allow for recovery of data deleted in error, data that had the meaning changed due to project modifications, and other issues that may arise based on user activity. While we can recover data for these reasons, recovery could take several days and will require a $150 per hour fee for the time spent to recover. Depending on the amount data or other information you need to recover, you may choose to try to recover this information from the 1) Logging or 2) Project Revision History features in order to save time and money.

 

image-20240916-212910.png

 

 

User Account Requirements

All REDCap users must have and use their own log in credentials.  Log in credentials for the WUSTL REDCap instance are an active WUSTL Key and password.  All user authentications occur in a centralized identification and authorization managed environment.  Centralized accounts have aged complex passwords and multi-factor authentication enabled.  Accounts are not to be shared in accordance with Washington University policy.  That means that you should NOT allow anyone else to work in REDCap while logged in to your account.  That person should log into their own account with their WUSTL key on a separate device in order to work in REDCap.* This includes external collaborators as well, e.g. you cannot create a single "External University REDCap Account" when collaborating with a study team at a single university.  Users having their own accounts helps improve the security and quality of research participant data stored in the WUSTL instance of REDCap.  This is because REDCap stores user activity in the Logging tool in order to 1) resolve data entry and collection issues and 2) assist with study audits.  Individual accounts are also a regulatory requirement by the university and you will not be considered in compliance if the requirement is not followed.  Also, if multiple users log in from a single REDCap account, the person who's information is attached to that account assumes all risk for any action taken by any user logged in with the credentials for that account.  For example, if someone logs into an account, makes a change to the project that causes data loss (e.g. deletes a field containing data), the person who's name and contact information associated with the account is responsible as that is the information tracked in the REDCap log.

*Please note, multiple users can work on the same project at the same time if they are logged in with their own WUSTL key and password on separate devices.  

User Account Access

Anyone with a WUSTL Key and password can log in to https://redcap.wustl.edu/.  When logging in for the first time, you will be prompted to enter a primary email. For Washington University faculty and staff, please enter your @wustl.edu email. For users with a guest WUSTL key, please enter your email from you other institution or organization. Ideally, this is a .edu or .org email. A confirmation email will be sent to the primary email you entered. Once you have confirmed your email address, you can create projects and be added to projects.

Guest WashU REDCap Accounts

Users from external sites must receive a Guest WUSTL Key and Password.  In order for an external collaborator to receive a guest WUSTL Key, a WashU sponsor will need to complete the WUSTL Key Guest Account Request Form.  This form needs to be completed for EVERY external collaborator, not one form per site.  The sponsor must be the project Principal Investigator (PI).  Once the user has obtained their guest WUSTL Key, they can log in as described in the “User Account Access” section above. See the links below full description of obtaining a Guest WUSTL Key:

Manage and Renew Guest WUSTL Keys

Guest WUSTL Keys are temporary with duration of 1-12 months. To manage or renew, the WashU sponsor of the guest key(s) will need to navigate to the WUSTL Connect page and select Manage Guests. You will be required to log in with your WUSTL Key and Password.

Account De-activation

Accounts will remain active as long as the user is associated with the university or the guest WUSTL Key is active.  Accounts of users departing the university will be suspended when the WUSTL Key and password becomes inactive.  Users who change departments within Washington University do not have their accounts suspended so do not need to create a new account when they begin in the new department.  Please note, a guest WUSTL Key is not tied to an external collaborators institutional account meaning if they leave their current position, the guest WUSTL Key may remain active unless the "Sponsor" of the guest WUSTL Key alerts Wash U IT to deactivate the account.  It is important that you monitor external accounts and remove the user from projects if they are no longer working on the project.

Recommended Practice: PIs and/or other project administrators should review the list of users on all REDCap projects at routine intervals.  We recommend doing this at least annually in the spring.  Students and other trainees are often added to projects temporarily, so the conclusion of the spring academic semester is an excellent time to review the user lists of REDCap Projects.

WUSTL Key - REDCap Password Reset

If you are having issues logging into REDCap, please visit the WUSTL Connect page to manage your WUSTL Key and Password or submit a General Access and Security Ticket to WashU IT at the WUIT-ServiceNow portal or by contact the WU IT Help Desk:  ithelp@wustl.edu or 314-933-3333. Log in credentials for the WUSTL REDCap instance are an active WUSTL Key and password.  All user authentications occur in a centralized identification and authorization managed environment.  Centralized accounts have aged complex passwords and multi-factor authentication enabled.  Accounts are not to be shared in accordance with Washington University policy.

REDCap Projects

The WUSTL Instance of REDCap is considered self-service.  Once a user with a WUSTL Key and password logs in to REDCap, they can begin creating REDCap Projects on the WUSTL REDCap Instance.  If you choose to use REDCap to collect and store research data, the Principal Investigator of the research study assumes responsibility for the proper building and maintenance of the project in order to keep data in compliance with all university, funder, and other governing body requirements. REDCap is a software platform built and maintained by Vanderbilt University.  REDCap is designed so users are able to build and maintain their own databases.  REDCap is a tool that does not require database administration, web development, or computer programming skills, however, projects can become large and complex quickly.  I2DB provide basic support and training to assist you with your project (WashU REDCap Support) as well as some services for a fee (Intake Form).  Given the nature of REDCap as a self-service system, we cannot guarantee we will be able to resolve all issues or find solutions for all desired needs that arise throughout the duration of your project.  It is important that you or someone on your study team have commensurate REDCap training and/or experience to match the complexity level of the project being planned and are comfortable maintaining the database under these conditions.  Please submit a ticket if you have questions about whether REDCap is right for your project and study team before beginning a project.   

If the PI leaves the university, research data in a REDCap Project can be transferred only with prior approval from a Dean, Department Chair, or Director (as specified in the PI Departure Process).  If any other study team member leaves the university (another faculty member, student or trainee, etc.) they must be treated as an external collaborator.  First, the any individual leaving the university must still be on the research team in the approved IRB protocol to be given access to the Project in REDCap after leaving the university.  Then, they must receive a guest WUSTL Key and be added to the project with the guest WUSTL Key by a PA.

Project metadata (instruments, events, etc.) that does not contain PHI or other research data can be shared amongst collaborators as desired similar to sharing code, protocols, or other non-sensitive study materials.  

Project Status

Projects are in Development Status by default when a project is created.  Development Status allows for easy building, testing, and modifying in order to tailor the project for the specific needs of your study.  Data collected and stored in a project that is in Development Status is not considered HIPAA compliant.  Therefore, collection and/or storage of PHI or other sensitive data ("real data") are not permitted while the project is in Development Status. In addition, data are not backed-up when the project is in Development Status so you are at risk of permanent data loss.  Projects must be moved to Production Status before collecting after the project has been thoroughly tested AND the IRB has approved the protocol for the study(ies) which data will stored in REDCap.  An IRB number and PI need to be entered for a project to be moved to the production server.  Multiple REDCap Projects can be created for a single study as long as each is moved to Production Status and the IRB number must be entered for each individual REDCap Project.

Development Status

Development status is the default status when a project is created.  It allows for easy building, testing, and modification of REDCap projects.  Data in projects with development status are not HIPAA compliant.  Projects in development status allow 1) any project modifications in real time, 2) adding and deleting test records, 3) enabling any features that users are allowed to enable.  These features allow for comprehensive testing of a project prior to moving to production status.  Once a project has been tested and you are prepared to begin collecting data from real study participants, you must request that your project be moved to production status.  To do this, go to project setup, scroll to the bottom of the page, and click Move to Production Status.  You will be required to submit your IRB approval letter before the project is moved to production.  If your project is for operational support, you will need to provide IRB waiver and justification for use.

Production Status

Production status is intended for IRB-approved projects or projects with IRB waivers.  Project in Production Status are considered HIPAA compliant and can contain PHI and other study data ("real data").   Once project are in Production Status, data are continually backed to facilitate PITR (point in time recovery) methods and are stored for approximately 30 days. Please note, while data are backed up on the production server, if you or anyone added to your project purposely deletes data, for example by deleting records, fields, or instruments, or changing variable names or multiple choice codes, there will be a fee associated with recovering data.

It is important to note that you can still make modifications to your project in production status.  Some modifications may require administrator review in order to prevent data loss or project corruption.

IRB Approval

I2DB is not responsible for granting, approving, or waiving IRB project approvals.  We also are not responsible for determining whether a project is in compliance with an IRB protocol.  Please contact the HRPO and or the IRB with questions regarding IRB compliance.  WashU HRPO and IRB offer HRPO Help Services to provide guidance on:

  1. SWAT On-Call Service: 314-747-6800

  2. Virtual Office Hours

  3. IRB Consultation Request Form

All research projects on the Production server must obtain an IRB approval or waiver before the project will be granted access.  The Project PIs are responsible for ensuring that their project protocols allow for data capture, storage and retrieval on our REDCap instance.  HRPO’s recommendation is for Quality Improvement project researchers to contact the Expedited Review Manager and request a determination on what approval is needed for their data collection. Determinations are made on a case by case basis.  

User Rights

Access to the secure REDCap servers is provided in compliance with WUSM’s HIPAA guideline.  Each user is responsible for the security of their WUSTL Key and password.  All user access and user rights to individual REDCap Projects are controlled by the study team themselves.  From a technical perspective, when a REDCap project is created, the person who creates project is responsible for adding other study team members.  Study team members can be added with the ability to control other people's User Rights.  Anyone given the ability to control user rights is able to add or remove people from the project as well as control what specific tasks they can complete in REDCap.  The person who creates the project plus anyone added with the ability to control User Rights are responsible for the people who are added to that individual project.  From a compliance perspective, the Principal Investigators (PI) of the study is responsible for ensuring only appropriate individuals have access to the project.  For a research study, the PI is the person defined in the approved IRB protocol as the PI or Co-PI and appropriate study team members are those listed on the Research Team in the approved IRB protocol with proper regulatory training (e.g. CITI).  The PI also is responsible for ensuring all study team members who are using REDCap are properly trained for the tasks they will complete.  It is the responsibility of the PI and PA to restrict all user privileges to a level that they do not gain access to sensitive data to which they do not have proper approvals or to data which they are supposed to be blinded to.  It is the responsibility of the PI and PA to remove any users that leave the university or no longer work on the project.  

Research Data Stored in WashU REDCap

Research data stored in REDCap is subject to the Washington University Research Data and Materials Policy.  Any project that is part of a research project that has IRB approval should have this included within the REDCap project.

REDCap Project PI Departing University

If the PI of a REDCap project leaves the university, please follow the PI Departure Process. Research data in REDCap can be transferred only with prior approval from a Dean, Department Chair, or Director as specified in the PI Departure Process

Transferring REDCap Data to another Institution

If a PI would like to transfer data from a REDCap project to another institution, please follow the PI Departure Process. If any other study team member leaves the university (for example, a student or trainee is graduating and moving to another university and would like to take the data with them), they will need to complete a Data Transfer Agreement (DUA) and, if needed, a Materials Transfer Agreement.

Transferring a REDCap Project to another WashU PI

If the PI is departing the university, follow the PI Departure Process. If a project with research data needs transferred for any other reason, i.e., the current PI is going to clinic full time and will no longer conduct research, you must make a modification in the IRB and Submit a REDCap Ticket with the approval letter that contains the name of the new PI and IRB number.