ePHI Best Practices

REDCap projects are managed by YOU, the project user. Therefore, access to project data is controlled by YOU and how you grant and restrict access.

It’s recommended that REDCap projects not collect unnecessary identifiable information. When identifiable information needs to be in a project, please follow these ePHI best practices.

• • Never share your REDCap username and password.
  • Grant project access only to staff, researchers, and external collaborators who are trained in protecting PHI.
    • CITI training: https://about.citiprogram.org/en/series/information-privacy-and-security-ips/
    • NIH Security Training: http://irtsectraining.nih.gov/CSA/0100005.aspx
  • Group all subject identifying information in to one data collection instrument and restrict access to this instrument. Within User Rights, grant “No Access” to all users except those who absolutely need this information.
       
  • Within User Rights, grant “No Access” or “De-Identified” data download access to project users.
    
  • When creating fields, mark PHI as “Identifier? = Yes”
    
  • Within Project Setup, run “Check For Identifiers” to help ensure all identifier fields have been tagged.