Regulated Research & Compliance

REDCap is a configurable research platform widely used in clinical, translational, and academic research environments operating under regulatory, privacy, and compliance requirements.

REDCap is not a pre-certified regulatory system. Compliance is achieved through a combination of system capabilities, institutional governance, and study-specific implementation. This model enables REDCap to support a wide range of regulatory contexts while maintaining flexibility for diverse research needs.

Core Compliance Model

Effective use of REDCap in regulated environments depends on alignment across three domains:

System-Level Capabilities

REDCap provides technical capabilities that support compliant data collection and management, including:

  • Audit trails capturing data creation, modification, and deletion
  • User authentication and role-based access controls
  • Configurable data collection workflows and permissions
  • Logging and traceability of user activity
  • Support for electronic consent and signature workflows

These capabilities establish the technical foundation for compliant system use.

Institutional Governance

Institutions are responsible for defining and maintaining the environment in which REDCap operates. This typically includes:

  • Secure infrastructure and hosting environments
  • System validation activities (e.g., Installation Qualification, Operational Qualification)
  • Change control and release management processes
  • Standard operating procedures (SOPs) for system use and administration
  • Oversight of user access, monitoring, and compliance enforcement

Institutional governance determines how REDCap is deployed, controlled, and maintained within a regulated context.

Study-Level Implementation

Research teams are responsible for implementing REDCap in alignment with protocol-specific and regulatory requirements. This includes:

  • Study design and data collection workflows
  • User roles and permissions
  • Consent processes and documentation
  • Data handling, monitoring, and quality control procedures

Compliance at the study level depends on appropriate configuration and adherence to protocol requirements.

Alignment with Regulatory Frameworks

REDCap is commonly used in research environments subject to a range of regulatory and compliance frameworks, including but not limited to:

  • FDA regulations (e.g., 21 CFR Part 11; 21 CFR Part 312 / 812)
  • HIPAA (U.S. health information privacy and security)
  • GDPR (EU data protection and privacy)
  • ICH Good Clinical Practice (GCP)
  • Federal information security requirements (e.g., FISMA-aligned environments)
  • NIH and federal data security policies
  • U.S. state-level privacy regulations
  • Accessibility standards (e.g., WCAG, Section 508)

Some frameworks, such as FISMA, apply at the system and infrastructure level and are addressed through institutional hosting, security controls, and authorization processes rather than application-level functionality.

The applicability of these frameworks depends on the study, sponsor, jurisdiction, and institutional policies.

REDCap can be configured and governed to support alignment with these requirements; however, compliance is determined by how the system is implemented and managed within a given environment.

Validation and System Oversight

In regulated environments, REDCap is typically deployed within a structured validation and governance framework. This may include:

  • Documented system validation (e.g., IQ/OQ)
  • Risk-based assessment of system functionality
  • Defined system boundaries and intended use
  • Ongoing monitoring, maintenance, and change control
  • Audit readiness and documentation practices

Consortium-driven efforts, such as the REDCap Validation Project (RVP), provide shared resources and approaches to support validation activities across institutions.

Important Considerations

  • REDCap is a configurable platform and does not inherently confer regulatory compliance
  • Compliance requirements vary based on study design, regulatory scope, and jurisdiction
  • Institutional policies and infrastructure are central to achieving compliance
  • Study teams are responsible for protocol-specific implementation and oversight

Evolving Landscape

Regulatory expectations, interoperability standards, and data governance practices continue to evolve. REDCap and the REDCap Consortium actively develop tools, validation frameworks, and implementation guidance to support institutions operating in regulated environments.

This page will be updated as new capabilities, standards, and resources emerge.