Special Links

HSC Net-ID Application Process
for Affiliate Users


REDCap Account Request Form

REDCap Training Handouts &
External Training Videos
Click here for the REDCap Login page



On this page below...

What is REDCap?

REDCap is a mature, secure web application for building and managing online surveys and databases. While REDCap can be used to collect virtually any type of data, it is specifically geared to support data capture for research studies.

It is not a TRUE relational database application, such as Microsoft Access or MS SQL Server, which allow users to create tables with complex relationships between them. Nevertheless, using newer REDCap features like "Repeating Instruments and Events" can add some "one to many" functionality to a project.

REDCap's survey functionality has become increasingly sophisticated over the years. Although it is easy to create a basic public survey, there are many add-on options that make surveys in REDCap a flexible and powerful tool. Possibilities include using multiple surveys in any project, survey automation, notifications, and many others.

REDCap is engineered by an active team of programmers at Vanderbilt University. Updates and bug fixes are released regularly. It is currently in production use or development build-status at nearly three thousand institutions worldwide. For more information about the institutions using REDCap, visit the REDCap Consortium website.

Back to Contents List (top of the page)

REDCap Security

The paramount security concern for anyone using REDCap is the safeguarding of Protected Health Information (PHI). REDCap has been engineered to be HIPAA-compliant. That said, it must be understood that the protection of data is as much about the procedures and policies of those using REDCap as the security written into the application itself. REDCap provides the means to control who has access to PHI in your project, but you must manage projects in such a way that limits the viewing of PHI only to those individuals with a need to know; presumably these individuals are so-named in your IRB protocol.

Overall, REDCap employs three basic levels of security: system, application and user.

At the system level: REDCap is behind the HSC firewall; only computers behind the firewall on campus will be able to reach the login page with a valid HSC Net-ID and password. Those individuals will also be able to access the login page from outside the firewall (i.e. their home) by using the Cisco Anyconnect VPN. All data traveling between client computers and the REDCap application is encrypted via SSL. The data servers are physically located in the UNM HSC Server Room; data is backed up nightly. The drive on which the data is stored and backed up nightly is encrypted in stasis. Backups are maintained for 3 weeks.

At the application level: REDCap provides an array of features for controlling who has access to what, in addition to checking data, securing the integrity of the data and providing oversight of the data. These control features can help a project administrator in monitoring and protecting sensitive data. Some of REDCap's control features include the following:

  • Record Locking
  • e-signature
  • De-identification of Exported Data
  • User Rights Control
Back to Contents List (top of the page)

User-Level Security

Knowing how to add users and managing their access to your sensitive data is one of the most important parts of cultivating security in your REDCap projects. If your project will contain PHI (Protected Health Information), you must limit the ability to access and download data only to those with a need to know. These individuals may be explicitly defined by your IRB protocol.

What all project managers need to know first and foremost is that ANY user who has "user rights" permissions in REDCap, has the rights to add other users as well as the rights to manage any user's permissions --INCLUDING THEIR OWN. Anyone with user rights permissions may upgrade their own permissions at any time. That's why it is best practice to have only one individual on your team with user rights permissions at the time your project is moved into production. (A REDCap administrator will always be able to access your User Rights table if your designated coordinator cannot be reached.) It may be more convenient to have everyone on your team possessing the rights to change user permissions, but it can also be unsafe and is not recommended.

To add a user to a REDCap project: The new user must already possess a basic REDCap account. Do not try to add a user to your project if they don't already have a general REDCap account. If they don't have one, they can apply for one here. Once they have their REDCap account, you can navigate to the User Rights module from the left navigational menu on the "Project Setup" page. There are other links to User Rights from other buttons in the system as well. The User Rights page consists of a table describing all users currently added to the project and an overview of their permissions. To find a REDCap user to add to your project, begin by typing their proper name, or their REDCap User Name, in the "Add new user" text box. Names will begin to autofill according to the letters you are typing. When the user you're looking for comes up, click the button to "Add with custom rights". The "permissions" page will come up where you can check or uncheck the permissions for that new user. You must click "Add User" at the bottom of the page to complete the procedure (or "Cancel"); otherwise the user may not be saved to your project. If they have been saved successfully, they will show up in your list of users on the original User Rights page. Successful additions will appear in your list of users with the proper name in parenthesis next to the Redcap user name, like this: jdoe (Jane Doe).

You will also notice a text box and button to "Create new roles." This is useful for larger projects with potentially many users who will be grouped into similar roles. At a basic level, you could define groups called "Manager" and "Data Entry" and assign the appropriate permissions for those groups. As new users are added to your project you can simply enter their user name into the "Assign new user" text box and then click the "Assign to role" button. Your two pre-defined options will come up and you can select the appropriate one to immediately set their permissions.

Back to Contents List (top of the page)

How to get Access to REDCap

To apply for a REDCap account, you must first possess a valid HSC Net-ID and password. This should not be a problem for current faculty, staff and most students at the HSC. A UNM main-campus Net-ID will not work. Go to the REDCap Account Request form to request a new REDCap Account. Regular faculty, staff and students will select the first option. Fill out the form, indicating your acceptance of the User Agreement Terms, and submit it. You should get a response from the REDCap application within one full business day unless there is a problem with your request, in which case you will get a response from the REDCap administrator.

REDCap accounts are generally provided for one-year periods. REDCap will attempt to notify a user 14 days prior to their account expiration, provided their correct email address is on file. Upon receipt of an expiration notification, the user should proceed to the REDCap Account Request form and select the option for renewing an account. Once the User Agreement is signed and received by the REDCAp Support Team, the account will be renewed for an additional one year period. The renewal process can take a full business day to process.

If an individual from the main campus or an affiliate from another institution will be working with you on your project, you can apply for an HSC Net-ID on their behalf by completing the HSC Net-ID application process.

Once your affiliate has their Net-ID and password, they can then go to the REDCap Account Request form, selecting the second option for "affiliate", fill out the form, accept the terms of the User Agreement and submit their request. They will get a response from either the REDCap application or the REDCap Administrator within one business day.

Back to Contents List (top of the page)

Accessing REDCap from Off Campus

REDCap is behind the HSC firewall. The login page is not accessible from outside the firewall without the use of the Cisco AnyConnect or Pulse VPN. The VPN authenticates the user's HSC Net-ID and creates a secure connection with REDCap across the firewall. The VPN must be used from all computers outside the HSC firewall, including the UNM main campus.

Any off-site affiliate working on REDCap projects must acquire an HSC Net ID from HSLIC and must install and use the Cisco AnyConnect or Pulse VPN whenever they are accessing REDCap. The Primary Investigator on a REDCap project can apply for an HSC Net-ID for an affiliate on their team by completing the HSC Net-ID application process. In comments fields, please include a description of the REDCap project and an explanation why the affiliate needs off-site access.

Access through the VPN is controlled by HSLIC and is limited to users with an HSC Net ID who have signed the required user agreement through Learning Central and whose supervisor has submitted the appropriate request through the Help.HSC ticket system.

Instructions explaining the process for obtaining VPN access as well as acquring Net-ID credentials for affiliates can be found in the HSC Net-ID Application Process.

Back to Contents List (top of the page)

Renewing Your REDCap Account

Account expiration notifications are sent out by REDCap beginning 14 days prior to the expiration. These notifications are sent to the email address on file for you in REDCap. For most users, this is your salud account. If you never check your salud account, you could miss these and other important notifications from REDCap. You can provide the REDCap Administrator with a secondary email address, presumably one that you check everyday. REDCap notifications will be sent to both email addresses on file.

If you receive a REDCap notification regarding the impeding expiration of your REDCap account, you may renew it for another period by navigating to the REDCap Account Request Form, selecting the third option for "renewing" a REDcap account, and signing the User Agreement. Your request for a renewal will be received by the REDCap Administrator and processed usually with a business day.

Back to Contents List (top of the page)

Learning to Use REDCap

REDCap becomes more feature-rich with each new release. That means the better it gets, the steeper the learning curve gets. Nevertheless, it is generally intuitive and once you start working with it, you should be able to do most of what you need to do with little guidance. Some basic knowledge of the system will get you there. User documentation is mostly built-in to the system in the form of buttons and links on the pages near where specific technologies are set up. For example, when you click the "Add Field" button in the Online Designer, the window that pops up contains links to explain the concepts of "piping", "action tags" and "smart variables".

There are several resources to help you learn how to use the application. The best tool for beginners is the video tutorial series produced by Vanderbilt University. These materials are available from the "Training Resources" tab within REDCap; a more limited selection can be found in the "Video Resources" tab on the REDCap Consortium website. The consortium videos are available to stream without logging in to REDCap.

For some of the longer videos, break up your session into two or three shorter sessions. Open up an instance of REDCap while you are watching the video so that you can try to follow along. Since updates to REDCap generally outpace the revision of tutorials, there may be some minor differences in the way that your version of REDCap looks in comparison to the video.

For beginners, we recommend the "Just Getting Started?" series and the "Building a Project" series. You should also pick and choose from the "Basic Features & Modules" series and the "Types of REDCap Projects" series. Intermediate to advanced users should definitely get to the "Special Features within REDCap Projects" series.

The REDCap Basic Training Class is generally offered once a month and is posted on the REDCap Home/Login page as well as the CTSC Training Calendar. REDCap Basic Training is a 2-hour introduction to creating projects in REDCap. Students will build a simple REDCap instrument, step by step, and then turn that instrument into a survey. This is a hands-on demonstration. Taking this class while also viewing the REDCap training videos is a good way to proceed. View upcoming training on the Redcap Home page or the CTSC calendar.

REDCap Beyond the Basics introduces users to more advanced features in REDCap. Features covered may include: Longitudinal projects, Automated Survey Invitations, Data imports, Data Dictionary, Reports, or other topics.

The REDCap FAQs are an important resource that should not be ignored. They are well-written, although there are some omissions. When you have a question about using REDCap, you should always check the FAQ page before you contact REDCap Support. Many of the support questions we get are answered right there in the FAQs. Need to know how to create a calculated field? Look in the FAQs. Need a refresher on how to create a branching logic field? Look in the FAQs. If you don't find the answer you are looking for, then feel free to contact the REDCap Support Team to help.

Back to Contents List (top of the page)

REDCap and Your PHI

It is imperative that REDCap users who store Protected Health Information (PHI) do so in a responsible way. REDCap is HIPAA-compliant in that it provides the means to limit who has access to the PHI you enter into your project, but there are some things you have to do yourself.

Identify the variables that contain your PHI to REDCap.  When you add a new field in your project, make sure you select "Yes" in the "Identifier?" property. Do this for all your fields containing PHI. This way REDCap will know what data to limit to those who only have the clearance to see de-identified data.

Set up your User Rights to control who has access to your PHI. The User Rights module is where you define who has access to what. You can set a user's permissions to include either a full data set or a de-identified data set. Users can also be granted or denied access to specific instruments in your project.

Be cognizant of your downloaded record sets. In REDCap it is easy to download a full set of data, including PHI, if you have the permissions. Because of that convenience, it would be easy to download a set to your desktop, view the data, and then leave it, forgetting it's there, even beyond the date of its usefulness. (This is just one example meant to serve as a possible scenario.) These "forgotten" record sets could get into the wrong hands if left, unprotected or forgotten. They are especially vulnerable on laptops, tablets, mobile phones and USB drives that are even more susceptible to loss or theft. Your mobile devices must be encrypted if you are using them to store PHI. Better yet, don't store sensitive data on them at all.

Always be mindful of PHI, however you use it. Even if you never export identified data from REDCap, if you have it displayed on your computer monitor, or write it down on a piece of paper that ends up on your desk, you are potentially exposing that data to individuals without authorization to view it. Consider using a screening device on your computer monitor to shield your data from casual visitors and make sure you shred any pieces of paper you have used to quickly jot down a name and phone number, or any other PHI.

Back to Contents List (top of the page)

Important Special Procedures for ALL IRB Studies

Before a Research project will be moved to "Production" in REDCap, the following documents must be received by the REDCap Support Team:

  1. Project Protocol as submitted to the IRB
  2. Your IRB Approval Letter
  3. List of Team Members as submitted to the IRB, defining the level of access for each member as "identified" or "de-identified" (Additions or changes to this list should be filed as an modification to your HRPO office as well as provided to the REDCap Administrator).

Until futher notice, please email any documents to the REDCap Support Team (hsc-ctscredcap@salud.unm.edu). Include your IRB number and the name of your REDCap project.

Back to Contents List (top of the page)

Important Information about Multi-site Studies

If you intend to use REDCap for a multi-site study and plan to share data with other institutions, you will need to obtain a Data Use Agreement (DUA) and possibly a Business Associates Agreement (BAA). Furthermore, you may also need to obtain a security review of any data transfer processes if you are sharing data with your affiliate users by any other means than directly in and out of REDcap (for example, via secure email, a third-party application, or manual transport via USB drive or other device).

For information about acquiring a Data Use Agreement and BAA Agreement, please contact the Sponsored Projects Office.

The Security Review would be submitted through the Help.HSC system and would include a thorough explanation of the data being transferred and the process through which it leaves REDCap and is delivered to another site.

Please send a final copy of your agreements to the REDCap Support Team before your project moves into Production.

Back to Contents List (top of the page)

Moving Your Project into Production

REDCap employs the following stages of development:

Development: All projects when first created start in "Development". In Development, you can design, build, and test your REDCap projects. All design decisions can be made in real time and are implemented immediately to your project. All survey and data entry features/functions can and should be tested in the Development phase.

Production: After you have thorougly tested your project in the Development phase with test data and are ready to begin collecting genuine data, you will move your project from Development to Production by clicking the "Move to Production" button at the bottom of your Project Setup page. You will be given the option of retaining any data already entered or starting with a blank slate. The REDCap Support Team will review the request and either put the project into Production or respond to the request with questions or concerns. Most survey and data entry features and functions will perform the same as they do in Development. Some functionalities are disabled, such as the ability to "Erase all Data". An important distinction of the Production phase, however, is that changes to your instruments cannot be done in real time. All instrument design updates require making the changes in Draft Mode and then submitting them for approval. After you click the button to move into production, your request will be sent to the REDCap Support team at the CTSC who will examine the project set-up to insure that all required components have been addressed. See the special requirements for IRB projects.

Draft Mode: Changes cannot be made in real time to the forms/instruments of a project in Production Status. In order to make changes to a project already in Production, you have to put the project in Draft Mode from the Online Designer page. (Once in production, the "Online Designer" button moves to the bottom of your Project Setup page.) Draft Mode insures that data which has already been collected is not disturbed by any changes made to the project. This can occur in some cases. If you submit changes to your project in Draft Mode, the request will either be fully executed by the REDCap Support team or returned to the user with a response. If the user understands the impact upon the data and still wishes to complete the drafted changes, they will be completed as directed.

From Production, you can move a project to the following statuses from the Project Setup >> Other Functionality page:

Inactive: Move the project to inactive status if data collection is complete. This will disable most project functionality, but data will remain available for export. Once inactive, the project can be moved back to production status at any time.

Archive: Move the project to archive status if data collection is complete and/or you no longer wish to view on My Projects List. Similar to Inactive status, this will disable most project functionality. The project can only be accessed again by clicking the Show Archived Projects link at the bottom of the My Projects page. Once archived, the project can be moved back to production status at any time. Generally, your REDCap project should be removed after your project has been completed.

Back to Contents List (top of the page)

Citing REDCap in Your Research

Please cite the publication below in study manuscripts using REDCap for data collection and management. We recommend the boilerplate language as provided in the example below:

Study data were collected and managed using REDCap electronic data capture tools hosted at the University of New Mexico.1 REDCap (Research Electronic Data Capture) is a secure, web-based application designed to support data capture for research studies, providing 1) an intuitive interface for validated data entry; 2) audit trails for tracking data manipulation and export procedures; 3) automated export procedures for seamless data downloads to common statistical packages; and 4) procedures for importing data from external sources.

1Paul A. Harris, Robert Taylor, Robert Thielke, Jonathon Payne, Nathaniel Gonzalez, Jose G. Conde, Research electronic data capture (REDCap) - A metadata-driven methodology and workflow process for providing translational research informatics support, J Biomed Inform. 2009 Apr;42(2):377-81.


Link to the article referenced above: http://www.sciencedirect.com/science/article/pii/S1532046408001226

For additional information about citing the CTSC in your research, click here.

Back to Contents List (top of the page)

Consulting with a Biostatistics Specialist

If you will be consulting with a biostatistician, we strongly urge you to meet with him or her early, while you are setting up your project in REDCap. By reviewing such items as your research design, database design (e.g. longitudinal vs. non-longitudinal), and your REDCap data dictionary before your project goes into production status, you will be able to make modifications more easily and thereby avoid potentially time-consuming problems. Read about CTSC Biostatistics support here.

Back to Contents List (top of the page)

Final Disposition of your REDCap Data

The CTSC's implementation of REDCap is not intended to be a long-term repository or warehouse for protected health information. If the purpose of your project is research involving human subjects, you will be asked to provide your study's IRB expiration date. As the expiration date approaches, we will contact you regarding the proper disposition of your REDCap data. At that point there are a number of possibilities, including the following:

  • You submit an IRB continuation request and are granted an extension. If this happens, please give us your new expiration date.
  • Your IRB protocol allows you to keep all, or a portion of, your data beyond the expiration date. (For example, perhaps you can retain the de-identified database). If this is the case, we will export a copy of your data in the appropriate form, and transfer it to you by secure means. After that we will delete the data from REDCap.
  • Your study is complete and you give us permission to delete the data.
Back to Contents List (top of the page)