Security policy
- Do not share individual account access with other users
- Do not log on to REDCap to provide access for another user
- Users will be held fully accountable and responsible for actions initiated under their username or electronic signatures
Data sharing policy
- Review and confirm all PHI fields in your REDCap project has been marked as identifier prior to requesting project to be moved to production status (This step is necessary in order to be able to export de-identified data from REDCap)
- Always download de-identified data from REDCap using the de-identification options unless identified data is necessary
- It is the Investigator’s responsibility to ensure their REDCap project users have been added to their IRB’s study team member list
- It is the Investigator’s responsibility to ensure data sharing with outside collaborators is approved by the IRB prior to sharing
- It is the Investigator’s responsibility to confirm there is a HIPAA Associate Agreement or Business Associate Agreement with an external collaborator before sharing any identified data
- UCLA Health Box is the approved channel to share identified or de-identified data
- While email is discouraged to be used for sending identified or de-identified data, if data must be sent by email, “#secure” must be used to start the subject line so that it is encrypted and the recipient email must not be a personal email address(e.g. gmail.com, yahoo.com)
- If identified data must be downloaded and stored outside of departmental file servers, a computer with an encrypted hard drive or an encrypted USB drive that is compliant with UC Security Standard must be used