Lara Lechtenberg
Lara Lechtenberg
2 min read

REDCap: PHI and Permissions

PHI

It’s important to mark any field that holds PHI in REDCap as an identifier so that you can easily limit access to PHI when exporting your data. REDCap makes it easy to mark any identifier as such when editing any field:

REDCap identifier

But how do you make sure you’ve covered all of them?

• There is a link available from every REDCap project to a CHOP page that reminds you of the 18 HIPAA Identifiers:

REDCap identifier

• There is a specific “Check for Identifiers” feature in REDCap under Project Setup that is unfortunately quite easy to miss:

REDCap identifier

REDCap identifier

Using multiple REDCap projects for one study in order to separate out PHI from the rest of the research data is not necessary and is not advised. This might seem like a good safety mechanism for compliance, But REDCap is a HIPAA compliant solution! To save yourself the extra work, go ahead and keep your identifiers safely within your REDCap project (safely means marking them as identifiers!) with the rest of your data.

User Roles and Rights

User permissions in REDCap are managed through the User Rights and DAGs section of each individual REDCap project, below “Applications” on the left hand side of your screen.

REDCap User Rights

User Rights are managed both on two levels. There’s an overall project level (the Basic Rights section, shown below):

REDCap User Rights

There’s also a form-by-form level within the project (the Data Entry Rights section):

REDCap User Rights

For research projects, it’s often helpful to look at your research protocol to help determine the User Rights assignments for your project. Your protocol may have a data management plan, or a delegation log, that outlines who can view, edit, and export which data.

Often, the lead coordinator on a project will manage these User Rights, but should do so with oversight from the project PI. Err on the side of being overly restrictive while giving study team members the access they need to do their jobs. You can always add study permissions later, but a permission granted accidentally could mean a protocol deviation.

Guidelines for project permissions

While we can provide general guidelines for granting User Rights, it’s important to keep in mind the specifics in your protocol when granting permissions. These lists provide an idea of what would likely be necessary in a typical research project:

PI/Lead Coordinator

Full project access, including:

  • Project Setup and Design
  • User Rights
  • Data Access Groups
  • Export full data sets
  • Add/edit reports
  • Manage survey participants
  • Logging
  • Create/Rename/Delete records
  • Mobile app/API privileges as needed
  • View/edit all forms

Other Coordinators/Research Assistants

  • Export full data sets
  • Add/edit reports
  • Manage survey participants
  • Logging
  • Create records
  • Mobile app/API privileges as needed
  • View/edit forms as needed

Data Entry/Recruitment personnel

  • Create records
  • View/edit forms for which they are entering data
  • Mobile app privileges as needed

Randomization privileges also depend on your protocol. To keep study staff blinded, you’ll generally need someone to conduct the randomization setup who is outside the protocol – someone who is not a member of the study staff. Often, this can be a member of the REDCap admin team – just contact the team ahead of time to let us know you’ll need help with setup.

Your protocol should tell you who on your study team will be randomizing patients. Those individuals should have the “Randomize” permission checked off, while everyone else should be restricted.

Discover More!

Want to peruse other REDCap topics? Check out: