Platforms /
IdentifiableInformationHandling
Identifiable Information/HIPAA
| Platform |
Can identifiable information be obtained and stored on this platform (e.g., in user accounts, demographic surveys, scheduling/recruitment/payment tools)? |
Is the platform capable of encrypting data (identifiable or otherwise)? |
| Amazon MTurk |
Not Available |
Subject identify is completely hidden–no idea if it is encrypted behind the scenes. |
| Cognition.Run |
Optional |
Yes – end-to-end |
| Django |
Optional |
Yes – end-to-end |
| Gorilla |
Optional |
Yes – end-to-end, there should be similarity between GDPR by EU and IRB/HIPAA. But there is not yet any specific language tailored to IRB/HIPAA on their website. |
| hearX |
Optional |
Yes – end-to-end, Local data encryption at rest using AES-256 bit encryption. Secured server service via token authentication. |
| ispring |
Optional |
This is description from the company. More can be found here https://www.ispringsolutions.com/overview-of-security-processes "Data Encryption: iSpring Web Services use secure (encrypted) connection where it is possible and doesn’t affect the overall performance for end users.The following types of connections from users to iSpring Web-Services are protected by using a 256-bit SSL/TLS encryption:All sensitive data such as passwords, contact and billing information is always transferred over SSL. Non-sensitive information is transferred over plain HTTP without encryption. If content security is under concern, it is possible to turn on the option Force HTTPS that makes all connections SSL encrypted. Only encrypted connections are used to transfer data between iSpring servers:All email messages from iSpring Web Services are sent over TLS. Database replication between database servers is performed over SSL. All file transfers between storage servers are performed over SSL and SFTP." |
| Jacoti |
Not Available (always de-identified) |
Not sure. |
| jspsych |
Optional |
No, jspsych itself doesn’t encrypt anything. The server serving the experiment (separately needed) could make all traffic encrypted by using HTTPS with SSL certificates. jspsych is a front-end library. Compliance issues apply to backend logic that jspsych does not provide. |
| MATLAB |
Optional |
The MATLAB web app server can be configured to use SSL encryption for participants connecting to the server. This ensures security in the data stream between the participants and the server. Data storage must be entirely managed by the experimenter and there are no configuration options in the server set-up process that modify how data are stored. Each individual matlab web app will determine how/where its data is stored. Users can elect to run the server on machine with encrypted storage ensuring that experimenter data is encrypted end to end. By default no data is saved on the participants’ computers. MATLAB web apps are hosted on servers that must be run either by experimenters/labs or their institutions’ research IT staff. Experimenters can work with their review boards to ensure server/data configurations comply with all required guidelines. |
| PART/BGC Science |
Optional |
Yes – end-to-end, Uploaded data are transmitted to AWS over a secure HTTPS connection. |
| Prolific |
Not Available (always de-identified) |
No |
| Psychstudio |
Optional |
Yes – end-to-end |
| PsyToolkit |
Optional |
HTTPS encryption |
| Qualtrics |
Optional |
Qualtrics uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data. |
| SHOEBOX |
Required |
Yes – end-to-end, HIPAA compliant storage services |
| SpeakPipe |
Optional |
No |
| TabSINT |
Optional |
No |
| TeamHearing |
Optional |
Yes – end-to-end |
| Platform |
What mechanisms does the platform provide for synchronous interactions between user and tester? |
Describe mechanisms for maintaining IRB/HIPAA compliance in synchronous interactions: |
| Amazon MTurk |
None |
Not applicable |
| Cognition.Run |
None |
Not applicable |
| Django |
None |
Not applicable |
| Gorilla |
None, I’m not aware of integrated synchronous communications on Gorilla. But it is possible to do it through WebEx/Teams/Zoom. But I’m unclear if reduced bandwith from synchronized interaction will affect Gorilla platform performance. |
In our institution (UW-Madison), only WebEx or phone is allowed as synchronous interaction with remote testing. |
| hearX |
Video, Text Chat/IM, Video otoscopy, ability to chat with clinician within the device if online. |
No mention other than encryption. |
| ispring |
None |
Not applicable |
| Jacoti |
None |
Not applicable |
| jspsych |
None |
Not applicable |
| MATLAB |
None, but it would be possible to build in real time communications support into the web apps, but this would likely prove to be far too time intensive to be practical for any research group. |
Not applicable |
| PART/BGC Science |
None, but it is typical to use Zoom or other video-conferencing software to guide users through the download, setup, and testing. |
IRB approval is obtained to allow remote consenting and video interactions. |
| Prolific |
None |
Not applicable |
| Psychstudio |
None |
Not applicable |
| PsyToolkit |
None |
Not applicable |
| Qualtrics |
None |
Not applicable |
| SHOEBOX |
|
https://www.shoebox.md/security-policy/ Careful detail has gone into thinking about security/HIPAA compliance. |
| SpeakPipe |
None |
Not applicable |
| TabSINT |
None |
Not applicable |
| TeamHearing |
None |
Not applicable |
| Platform |
Please describe any additional features related to maintenance of IRB/HIPAA compliance: |
| Amazon MTurk |
Age verification might be an issue. |
| Cognition.Run |
The website has a data access statement that they will "neither access nor share any information that is collected in the course of your tasks." |
| Django |
Django provides many out-of-the-box components for encrypting data, secure login/authentication, secure anonymous web sessions and cookies, secure forms, etc. HIPAA compliance is achievable without particular need for security/IT expertise. |
| Gorilla |
There should be similarity between GDPR by EU and IRB/HIPAA. But there is not yet any specific language tailored to IRB/HIPAA on their website. |
| hearX |
No statements of IRB/HIPAA compliance other than safely of encrypted data. There is a centralized electronic health record management system. |
| ispring |
|
| Jacoti |
N/A Meant for direct to consumer use. |
| jspsych |
jspsych is a front-end library. Compliance issues apply to backend logic that jspsych does not provide. |
| MATLAB |
MATLAB web apps are hosted on servers that must be run either by experimenters/labs or their institutions’ research IT staff. Experimenters can work with their review boards to ensure server/data configurations comply with all required guidelines. |
| PART/BGC Science |
BGC Science was developed for maintaining secure data transfer and storage during remote testing without physically sending a device back and forth. Please contact the developers for more information. The project is NIH-funded to work directly with researchers and clinicians to create new testing approaches, so time and effort is available for this. https://braingamecenter.ucr.edu/games/p-a-r-t/ |
| Prolific |
Prolific allows for targeting subject recruitment based on demographic/personal information (they have a large number of pre-screening filters available), and paying participants without obtaining any identifiable information whatsoever. Given that participant data (held on external servers by the researcher) and participant identities (held by Prolific) are thus separated, IRB/HIPAA compliance becomes easy. |
| Psychstudio |
|
| PsyToolkit |
You have the option not to store IP address. |
| Qualtrics |
|
| SHOEBOX |
https://www.shoebox.md/security-policy/ Careful detail has gone into thinking about security/HIPAA compliance. |
| SpeakPipe |
|
| TabSINT |
|
| TeamHearing |
Accounts can be obtained that avoid personal identifiers. |
