Insert into your grant where appropriate the text below describing StudyTRAX functionality and security. Contact Us if your needs are different, as we have a number of examples and considerable experience helping investigators with grant write-ups.
Descriptive Text on StudyTRAX
The purpose of the study database is to track subject enrollment, capture data elements in a series of short, well-designed forms all available on-line via a secure web portal, and facilitate the transfer of data into statistical packages for analysis. The database application, called StudyTRAX, uses MS SQL Server as the back end relational database. The program can support one or more research studies, is presently being used at dozens of major academic research centers to support numerous NIH funded projects and is available commercially ( http://www.sciencetrax.com/studytrax/ ). The HIPAA privacy rules and HIPAA security rules mandate that covered entities have in place appropriate policies and procedures to protect the confidentiality and security of protected health information. In compliance with these regulations, the database security features of StudyTRAX target multiple levels including the data element (e.g., restricted access to fields), user (e.g., password authentication access), application (e.g., role-based access to features, access audit trails), and hosting services (e.g., firewall, secure sockets layer). Taken together, these features ensure access control, audit control, data integrity, user authentication, and transmission security. The research project(s) will be set up in StudyTRAX to ensure exported datasets are de-identified as defined in the HIPAA privacy regulation [45 C.F.R. §164.514 (b)(2)]. A 21 CFR Part 11 compliance document is available upon request from the creators of the software, a company called ScienceTRAX, LLC.
If Applicable, add the text from ONE (i.e., “A”, “B”, or “C”) of the following recruitment options:
(A) Anonymous data collection only:
Participants will enroll themselves via an email or website containing a “Participate“ link/button. When clicked, forms without identifying fields will be presented for completion. To ensure information can NOT linked or tracked to participants, a meaningless ID will be automatically generated and data transferred via an encrypted connection.
(B) Anonymous, option to convert to named account:
Participants will enroll themselves via an email or website containing a “Participate“ link/button. When clicked, screening data collection forms without identifying fields will be presented for completion. A meaningless ID automatically generated and data transferred via a encrypted connection so as to ensure the information can NOT tracked back to participants. Participants that meet screening criteria will be given a consent option. If consent is given, appropriate identifying information will be security captured with an option to create an account.
(C) If only staff will create accounts:
Research staff will create and manage participants accounts. Participants will validate their accounts and have control over their account information (e.g., password).
Application Hosting (if ScienceTRAX hosting application)
ScienceTRAX hosted solutions are fully HIPAA Compliant and ensure access control, audit control, data integrity, user authentication, and transmission security. ScienceTRAX uses the data center services of Rackspace, a premier hosting company. Rackspace offers top of the line hosting facilities. As a summary of the Rackspace facilities: (1) Access to data center is secured by Biometric hand scanners and monitored 24×7 by closed circuit cameras. (2) Public access to data center is strictly forbidden. Only level three technicians are permitted in the data center. (3) HVAC [Heating Ventilation Air Conditioning] systems are used to completely circulate and filter all the air every 90 seconds. (4) Continuous UPS [Uninterrupted Power Supply] systems keep all servers up and running in the event of a total power outage. (5) Diesel engines are located on-site to provide power for extended power outages. (6) Enterprise-class routing equipment used in conjunction with multiple fiber carriers to ensure zero downtime due to network access.
Data is protected from loss by the following: (1) A redundant array of independent disk [RAID] Level 5 is used to ensure that data will not be lost if a hard drive fails, (2) full database backups are done nightly, (3) database log file backups are done every 15 minutes, (3) database integrity checks and index maintenance are performed nightly, (4) the database and log backup files are retained as part of Rackspace’s backup process and also transferred every hour to Microsoft’s Azure geographically redundant storage.
Data security is assured by the following: (1) All server requests are transmitted over SSL using 256-bit encryption, (2) a dedicated Cisco router firewall only allows requests to StudyTRAX, (3) the database is stored on a separate server in a private independent subnet with no public IP address, (4) database and log files are encrypted, and (5) database and log backups are encrypted.