HIPAA-Compliant RedCap Account

A HIPAA-Compliant RedCap account is best for:

  • Research conducted within a HIPAA-covered clinical setting
  • Studies involving PHI (e.g., patient names, medical records, diagnoses)
  • Clinical quality improvement surveys that collect PHI
  • Patient intake and medical data collection

Restrictions:

  • Must adhere to HIPAA security guidelines and university compliance requirements
  • Only authorized personnel can access PHI data
  • Data must not be exported or shared without approval from compliance officers

Requesting an SCCE HIPAA-Compliant REDCap Account

1

Read the HIPAA REDCap Instance Process Sheet

Process Sheet
2

Download and Complete the form

Request form
3

Send the form

Send the request form to sccecompliance@usu.edu.

Users must delete their data from RedCap after their data collection is over. RedCap is not a data storage tool.

Note: This account is for collecting data that includes HIPAA Identifiers and Protected Health Information from a Sorenson Center HIPAA clinic. View the SCCE website for a list of the clinics.

HIPAA Identifiers
  1. Name
  2. Address (all geographic subdivisions smaller than a state, including street address, city, county, and zip code)
  3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
  4. Telephone numbers
  5. Fax numbers
  6. Email address
  7. Social Security Number
  8. Medical record number
  9. Health plan beneficiary numbe
  10. Account number
  11. Certificate or license number
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web URL
  15. Internet Protocol (IP) Address
  16. Finger or voice print
  17. Photographic image - Photographic images include more than just images of the face.
  18. Any other characteristic that could uniquely identify the individual

If a communication contains any of these identifiers or parts of the identifier, such as initials, the data must be regarded as “identified.” To be considered “de-identified,” ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.

Be aware that the HIPAA Privacy Rule protects individually identifiable health information of deceased individuals for 50 years following the date of death. If the research will involve any identifiers linked to living persons or access death records maintained by the State Registrar, local registrars, or county recorders, the project must receive prior approval.