Platforms /

IdentifiableInformationHandling

Identifiable Information/HIPAA

Platform Can identifiable information be obtained and stored on this platform (e.g., in user accounts, demographic surveys, scheduling/recruitment/payment tools)? Is the platform capable of encrypting data (identifiable or otherwise)?
Amazon MTurk Not Available Subject identify is completely hidden–no idea if it is encrypted behind the scenes.
Cognition.Run Optional Yes – end-to-end
Django Optional Yes – end-to-end
Gorilla Optional Yes – end-to-end, there should be similarity between GDPR by EU and IRB/HIPAA. But there is not yet any specific language tailored to IRB/HIPAA on their website.
hearX Optional Yes – end-to-end, Local data encryption at rest using AES-256 bit encryption. Secured server service via token authentication.
ispring Optional This is description from the company. More can be found here https://www.ispringsolutions.com/overview-of-security-processes "Data Encryption: iSpring Web Services use secure (encrypted) connection where it is possible and doesn’t affect the overall performance for end users.The following types of connections from users to iSpring Web-Services are protected by using a 256-bit SSL/TLS encryption:All sensitive data such as passwords, contact and billing information is always transferred over SSL. Non-sensitive information is transferred over plain HTTP without encryption. If content security is under concern, it is possible to turn on the option Force HTTPS that makes all connections SSL encrypted. Only encrypted connections are used to transfer data between iSpring servers:All email messages from iSpring Web Services are sent over TLS. Database replication between database servers is performed over SSL. All file transfers between storage servers are performed over SSL and SFTP."
Jacoti Not Available (always de-identified) Not sure.
jspsych Optional No, jspsych itself doesn’t encrypt anything. The server serving the experiment (separately needed) could make all traffic encrypted by using HTTPS with SSL certificates. jspsych is a front-end library. Compliance issues apply to backend logic that jspsych does not provide.
MATLAB Optional The MATLAB web app server can be configured to use SSL encryption for participants connecting to the server. This ensures security in the data stream between the participants and the server. Data storage must be entirely managed by the experimenter and there are no configuration options in the server set-up process that modify how data are stored. Each individual matlab web app will determine how/where its data is stored. Users can elect to run the server on machine with encrypted storage ensuring that experimenter data is encrypted end to end. By default no data is saved on the participants’ computers. MATLAB web apps are hosted on servers that must be run either by experimenters/labs or their institutions’ research IT staff. Experimenters can work with their review boards to ensure server/data configurations comply with all required guidelines.
PART/BGC Science Optional Yes – end-to-end, Uploaded data are transmitted to AWS over a secure HTTPS connection.
Prolific Not Available (always de-identified) No
Psychstudio Optional Yes – end-to-end
PsyToolkit Optional HTTPS encryption
Qualtrics Optional Qualtrics uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data.
SHOEBOX Required Yes – end-to-end, HIPAA compliant storage services
SpeakPipe Optional No
TabSINT Optional No
TeamHearing Optional Yes – end-to-end
Platform What mechanisms does the platform provide for synchronous interactions between user and tester? Describe mechanisms for maintaining IRB/HIPAA compliance in synchronous interactions:
Amazon MTurk None Not applicable
Cognition.Run None Not applicable
Django None Not applicable
Gorilla None, I’m not aware of integrated synchronous communications on Gorilla. But it is possible to do it through WebEx/Teams/Zoom. But I’m unclear if reduced bandwith from synchronized interaction will affect Gorilla platform performance. In our institution (UW-Madison), only WebEx or phone is allowed as synchronous interaction with remote testing.
hearX Video, Text Chat/IM, Video otoscopy, ability to chat with clinician within the device if online. No mention other than encryption.
ispring None Not applicable
Jacoti None Not applicable
jspsych None Not applicable
MATLAB None, but it would be possible to build in real time communications support into the web apps, but this would likely prove to be far too time intensive to be practical for any research group. Not applicable
PART/BGC Science None, but it is typical to use Zoom or other video-conferencing software to guide users through the download, setup, and testing. IRB approval is obtained to allow remote consenting and video interactions.
Prolific None Not applicable
Psychstudio None Not applicable
PsyToolkit None Not applicable
Qualtrics None Not applicable
SHOEBOX   https://www.shoebox.md/security-policy/ Careful detail has gone into thinking about security/HIPAA compliance.
SpeakPipe None Not applicable
TabSINT None Not applicable
TeamHearing None Not applicable
Platform Please describe any additional features related to maintenance of IRB/HIPAA compliance:
Amazon MTurk Age verification might be an issue.
Cognition.Run The website has a data access statement that they will "neither access nor share any information that is collected in the course of your tasks."
Django Django provides many out-of-the-box components for encrypting data, secure login/authentication, secure anonymous web sessions and cookies, secure forms, etc. HIPAA compliance is achievable without particular need for security/IT expertise.
Gorilla There should be similarity between GDPR by EU and IRB/HIPAA. But there is not yet any specific language tailored to IRB/HIPAA on their website.
hearX No statements of IRB/HIPAA compliance other than safely of encrypted data. There is a centralized electronic health record management system.
ispring  
Jacoti N/A Meant for direct to consumer use.
jspsych jspsych is a front-end library. Compliance issues apply to backend logic that jspsych does not provide.
MATLAB MATLAB web apps are hosted on servers that must be run either by experimenters/labs or their institutions’ research IT staff. Experimenters can work with their review boards to ensure server/data configurations comply with all required guidelines.
PART/BGC Science BGC Science was developed for maintaining secure data transfer and storage during remote testing without physically sending a device back and forth. Please contact the developers for more information. The project is NIH-funded to work directly with researchers and clinicians to create new testing approaches, so time and effort is available for this. https://braingamecenter.ucr.edu/games/p-a-r-t/
Prolific Prolific allows for targeting subject recruitment based on demographic/personal information (they have a large number of pre-screening filters available), and paying participants without obtaining any identifiable information whatsoever. Given that participant data (held on external servers by the researcher) and participant identities (held by Prolific) are thus separated, IRB/HIPAA compliance becomes easy.
Psychstudio  
PsyToolkit You have the option not to store IP address.
Qualtrics  
SHOEBOX https://www.shoebox.md/security-policy/ Careful detail has gone into thinking about security/HIPAA compliance.
SpeakPipe  
TabSINT  
TeamHearing Accounts can be obtained that avoid personal identifiers.