REDCap: Guidelines for Directed Surveys
The guidelines below are intended to safeguard the privacy rights of people being asked to complete a REDCap generated survey that may contain PHI or health information, sent to a specific email address provided
One of the powerful study tools that REDCap offers is survey functionality. Some surveys are completed anonymously using Public Survey Links and these do not pose a significant challenge to HIPAA regulations regarding privacy and PHI.
Other surveys, however, may be directed to specific individuals at an email address provided by that individual. Greater care is required in these cases to ensure that each person's privacy is protected. When thinking about these survey invitations, consider the general rule that once the email is sent, you have very little control what happens to it. There are a few things you can do to help safeguard study and health information when you are using the Participant List functionality within the Manage Survey Participants section of REDCap.
- Researchers should develop and implement a mechanism to ensure that the email address provided by the patient/subject is correct. One example of this are double entry of the email address. It is also strongly recommended that patients/subjects are asked not to use an email address that others can access, but instead to provide an individual email account.
- Avoid offering identifying information by ensuring that the email invitation NOT include the patient/subject name (e.g. Hi Mary). This point emphasizes the need to use an individual email address and not a shared account.
- Protect health information by making sure that the email invitation text does NOT Include the details of the intent of the survey (e.g. We ask that you complete this survey as a 3 month follow-up to your visit to the Alzheimer's Disease Clinic on March 20, 2013). This is particularly important when communicating to email addresses in the some of the free-email domains such as Gmail, Hotmail or Yahoo. These services explicitly state that they can not guarantee privacy and security.
Because of the security limitations inherent in email communications, it is important that the content of messages not reveal protected information. In addition, the often obscure email address means that you can't verify the accuracy with a glance. Take extra care that the address being used is correct.