1. Home
  2. Security
  3. Protecting Your Data
  4. Apps and Software Reviewed for Research

List of OIT-Reviewed Apps and Software for Research using Identifiable Information

Below is a list of services that have been reviewed and approved by Emory for processing and storing Identifiable Information as electronic data, including ePHI. Even though these services have been reviewed, you are still responsible for ensuring that your use of them meets all of Emory’s applicable IT security and HIPAA policies, as well as any applicable rules of behavior.

For more information, please review the following policies:

Data Storage

NameDescriptionFeeWebsite
Emory Trusted StorageePHI and other types of sensitive data may be stored here. All data is encrypted at rest and access to all data is audited. Can be accessed on campus or through Emory’s VPN.Yeshttps://it.emory.edu/catalog/technical-infrastructure/storage-management.html
OneDrive

OneDrive is a cloud storage service available through Office365. Faculty, staff, and students with Emory e-mail addresses already have OneDrive accounts. All sensitive data types may be stored here except for PCI or FISMA related data. You must read and agree to the OneDrive rules of behavior:
https://it.emory.edu/security/conditions.html

Free for Emory Staff, Faculty and Studentshttps://email.emory.edu/
OnBaseOnBase is a document imaging solution that may be used to store paper records with ePHI that need to be stored digitally.Yeshttps://it.emory.edu/onbase/
Oracle Database
  • OIT offers a HIPAA-Compliant shared infrastructure which is available for applications that do not have strict requirements for things like a dedicated database, SYS/SYSTEM level access, or server level access. OIT gathers requirements to ensure the application will fit into the shared support model at Emory.
  • Data is encrypted at-rest and in-transit. User accounts have a hardened profile that forces password expiration, password complexity, and monitors retry attempts.
  • OIT will work with the application teams to define the connectivity paths as any/all traffic to the database environment is filtered.
  • Customers can leverage OIT database administration services for applications that exceed the internal requirements as part of the shared infrastructure and OIT will deploy the same level of features (there could be a cost associated with encryption-at-rest) for their dedicated infrastructure.
Yes
MySQL Database
  • OIT offers a HIPAA-Compliant shared infrastructure which is available for applications that do not have strict requirements for things like a dedicated database, root-level access, or server access. OIT gathers requirements to ensure the application will fit into the shared support model at Emory.
  • Data is encrypted at-rest and in-transit. User accounts have a hardened profile.
  • OIT will work with the application teams to define the connectivity paths as any/all traffic to the database environment is filtered. Customers can leverage.
  • OIT database administration services for applications that exceed the internal requirements as part of the shared infrastructure and OIT will deploy the same level of features (there could be a cost associated with encryption-at-rest) for their dedicated infrastructure.
Yes
Emory Box

No longer a storage option.

Emory University and Emory Healthcare have decided to move away from Box as a storage offering, in favor of OneDrive.

Box to OneDrive migration FAQ here

 

 

Data Collection

For collection of sensitive data that does not contain identifiers, investigators may use other tools as approved by the IRB, including Survey Monkey.

NameDescriptionFeeWebsite
REDCapREDCap is a data collection platform that has been approved for storing ePHI related data.Free for Emory Staff, Faculty and Students for research purposeshttps://it.emory.edu/catalog/data-and-reporting/redcap.html 
QualtricsQualtrics is a survey and data collection cloud service that has been approved for collecting and storing ePHI related data.Free for Emory Staff, Faculty and StudentsSchool of Medicine Qualtrics service:
SOMITS-SitePages-Qualtrics
Medidata Rave EDC

Cloud–based clinical data management system used to capture, manage, and report clinical research data electronically.

This does include Medidata eCRF.

It does not cover any other Medidata products such as:

  • Patient Cloud
  • ePRO
  • eCOA
Cost per user

https://www.medidata.com/en/clinical-trial-products/clinical-data-management/edc-systems/ 

 

FAQ plus scenarios to apply Emory HIPAA policy according to study activities:

hipaa_changes_faq_plus_decision_chart.pdf 

 

 

 

Messaging and Conferencing

NameDescriptionFeeWebsite
Office365 EmailEmory’s Office365 email system is approved for sending and receiving ePHI internally between Emory affiliated individuals. ePHI may not be sent to external recipients.Free for Emory Staff, Faculty and Studentshttps://it.emory.edu/catalog/email-and-calendaring/index.html
Zoom

Video and teleconferencing service that may be used for the discussion of ePHI. HIPAA accounts are approved for Telemedicine.

See this guidance on which Zoom account is appropriate.

Emory Healthcare and Emory University HIPAA accounts are HIPAA compliant, but Emory University Main accounts are not. Most groups are auto routed to the appropriate enterprise account, but if you need a HIPAA compliant account, contact IT.

Free for Emory Staff, Faculty and Studentshttps://it.emory.edu/office365/ZOOM.html
Skype for Business (SFB)SFB is an instant messaging and conferencing solution available to all Emory faculty, staff, and students. Emory users can hold calls and conferences with consumer Skype users, but the Emory user must initiate the communication. SFB is approved for discussing sensitive data, including ePHI. However, SFB is not an approved telemedicine solution.Free for Emory Staff, Faculty and Studentshttps://it.emory.edu/office365/skype-for-business.html
Spok MobileEmory’s paging system, and can also be used for secure texting, including ePHI. The secure texting function will only work between individuals who are affiliated with Emory, and is not suitable for communicating with non-affiliated individuals.Free for Emory Staff, Faculty and Studentshttp://it.emory.edu/mobileconnect/
Office 365 Message Encryption (OME)Emory is now using Office 365 Message Encryption (OME) to encrypt outgoing email messages. OME allows Emory users to send emails to external users, ensure the message is transmitted securely, and visible only by the intended recipient.Free for Emory Staff, Faculty and Studentshttps://it.emory.edu/office365/ome.html

 

 

 

Clinical Data

NameDescriptionFeeWebsite
i2b2
  • Emory i2b2 lets you query Emory Healthcare electronic health record data for patient counts and aggregate information free of charge.
  • Supports pre-research queries for assessing study feasibility, for example, IRB protocol submissions and grant applications. You do not need IRB approval to use it for pre-research queries.
  • Authorized individuals also may use it for healthcare operations purposes.
  • Read the user agreement carefully for more about what you may and may not do with the information you get from i2b2. Receives a feed of demographics, visit detail, diagnosis code, procedure code, medication order, and selected laboratory test data.
For data with identifiers, you will need an IRB approval letter. The service center charges an hourly rate.

 https://it.emory.edu/catalog/data-and-reporting/i2b2.html

 

 

Electronic Signatures for electronic informed consent

NOTE:  eSignLive is no longer recommended. If you are using it currently for an already approved study, you may continue. Do not use eSignLive for new studies starting on or after 3/31/2020.

NameDescriptionFeeWebsite
RedCap
RedCap is a data collection platform that has been approved for storing ePHI related data (not for studies that required to be Part 11 compliant).Free for Emory Staff, Faculty and Students for research purposes

https://it.emory.edu/catalog/data-and-reporting/redcap.html

DocuSign

Emory has selected DocuSign as our electronic signature solution.

DocuSign is an easy-to-use, full-featured, web-based application:

  • Signing/sending documents
  • Creating forms, and
  • Managing document workflow

Find more details here. 

For studies which are required to comply with the FDA's CFR 21 Part 11, use  DocuSign Part 11 compliant envelopes.

Enterprise agreement envelopes (non-CFR 21 Part 11):

Free for Emory University Staff and Faculty (and approved students)

Emory Healthcare personnel can sign an envelope, but cannot send envelopes with the DocuSign enterprise agreement

 

For CFR 21 Part 11 signatures:

$1.50/envelope

https://docusign.emory.edu/