IU REDCap user agreement

• Document scope
• 1 Service level expectations
  • 1.1 Description of the service
  • 1.2 Service hours and availability
  • 1.3 Incidents and service requests
  • 1.4 Service upgrades and maintenance window
  • 1.5 Service governance and security
• 2 User requirements
  • 2.1 User responsibilities and data governance
  • 2.2 Cost of service

---

Document scope

Following are appropriate use policies for Indiana University's implementation of the IU Research Electronic Data Capture service (REDCap).

The Research Technologies division of IU (Indiana University) University Information Technology Services (UITS-RT) and the Indiana Clinical and Translational Sciences Institute (Indiana CTSI) work as partners to offer the IU Research Electronic Data Capture service (IU REDCap) service to the community of IU and Indiana CTSI affiliated researchers. This document describes the service level expectations and user requirements for IU REDCap. By using IU REDCap, a user agrees to the terms of this document.

1 Service level expectations

1.1 Description of the service

The URL for the service is https://redcap.uits.iu.edu/. An up-to-date description of the capabilities of the service is located at this URL. In supporting IU REDCap, UITS-RT and the Indiana CTSI:

• Host the REDCap service in IU-approved infrastructure.
• Maintain regular backups of the database underlying REDCap to minimize the risk of data loss.
• Provide account management of users:
  • Creation and deactivation of system-level accounts
  • Automatic suspension of user accounts after six months of inactivity
  • Users manage user rights in their projects
• Provide user support for questions about REDCap features.
• Provide access to the REDCap API to allow software clients to interact directly with REDCap.
• Provide paid consulting services for in-depth user support and project builds (contact redcap@iu.edu).

1.2 Service hours and availability

The intent is for the IU REDCap service to be continuously available, except for scheduled maintenance periods. However, the current funding and operating model requires "best effort" support. By "best effort", we mean:

• Service issues or questions about the use of IU REDCap are resolved during normal business hours, Monday-Friday 8am-5pm, or outside of business hours if a staff member is available to investigate a problem.
• IU REDCap has no guaranteed percentage uptime, although empirically it has been operating well above 99% since 2015.
• IU REDCap has no guaranteed response time for support tickets, although in practice UITS-RT tries to make an initial response to inquiries within 24 to 48 hours.

1.3 Incidents and service requests

Major issues with IU REDCap will be reported at Status.IU. Users may report problems or questions concerning IU REDCap to redcap@iu.edu.

1.4 Service upgrades and maintenance window

The maintenance window is every Sunday 12am-5pm. During maintenance, the service is typically only unavailable for about an hour, but we reserve the right to use the entire maintenance window for major upgrades.

1.5 Service governance and security

A consensus of representatives from various groups, including UITS-RT, the Indiana CTSI, the IU HIPAA officers, the IU Data Stewards, IU General Counsel, and the IU OVPIT HIPAA Liaison, are consulted to make policy decisions for IU REDCap.

UITS-RT installs the Long-Term Support (LTS) version of REDCap, which has a major update twice a year, and minor updates more frequently for bug-fixes and security patches.

The timeframe for implementing non-essential changes to the IU REDCap service depends on available staff resources.

Indiana University ensures that IU REDCap has the requisite HIPAA Security Rule safeguards in place for its infrastructure components, allowing data with electronic protected health information (ePHI) onto the system. However, the infrastructure safeguards alone do not fulfill a user's legal responsibilities for protecting the privacy and security of data containing ePHI. A user must implement additional safeguards to satisfy HIPAA requirements. For more details, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services.

2 User requirements

2.1 User responsibilities and data governance

IU REDCap is for use only in support of academic research and for projects that do not involve sensitive institutional data except ePHI. However, IU REDCap may not be used to directly support patient care in a clinical environment; case-by-case exceptions to this restriction may be made when the overarching purpose of REDCap's use in a project is research, and where REDCap is used in such a way that other systems (digital or paper-based) may be used to replace IU REDCap if it is not available. Regarding the IU classifications of data that may be stored in IU REDCap, see About dedicated file storage services and IT services with storage components appropriate for sensitive institutional data, including research data containing protected health information.

When using IU REDCap with ePHI, the user, and, if applicable, the Principal Investigator (PI), are responsible for the privacy and security of these data, and for compliance with any applicable federal and state laws and regulations, and institutional policies. To the extent applicable, this may include having the appropriate Institutional Review Board (IRB) approvals, patient authorization, and/or a Data Management Plan. In particular, the user, the PI, and the department are responsible for implementing administrative, physical, and technical safeguards that complement IU's REDCap infrastructure safeguards. See Shared responsibility model for securing PHI on UITS systems for what is expected.

UITS-RT maintains appropriate database backups to minimize the risk of data loss in the event of a system failure. Although UITS-RT cannot make any guarantee to the user about being able to recover a user's data in the event of data loss due to an error on the part of the user (for example, a user accidentally deletes data in a project), UITS-RT can, for a consulting fee, try to recover the lost data via the REDCap audit log, and if the data is recovered, the project owner would be responsible for re-loading the data into REDCap; this is not a routine process, and should be considered a method of last resort.

Due to the way IU REDCap audits user activity on the system, UITS-RT has no convenient way of purging a project's data from the REDCap logs, even after a project has been deleted. If this presents an issue for your data management plan, you should not use IU REDCap.

2.2 Cost of service

IU REDCap services are available without charge to IU and Indiana CTSI affiliated users. Most data collection in REDCap is low-throughput and involves relatively small amounts of structured data collected through forms and surveys. Therefore, currently there are no quotas that limit the amount of data collected in REDCap by a given user. However, UITS-RT reserves the right to change this at any time for new projects. In addition, a user who wishes to use REDCap in a way that uses a large amount of storage or compute resources (for example, collecting large digital media files, or high-throughput usage of the API) should contact redcap@iu.edu to discuss their usage and whether infrastructure cost-sharing would be appropriate; UITS-RT reserves the right to stop any current non-standard projects, since that could affect other users of the service.