Recent Changes - Search:

Main

Platforms

IdentifiableInformationHandling

Identifiable Information/HIPAA

PlatformCan identifiable information be obtained and stored on this platform (e.g., in user accounts, demographic surveys, scheduling/recruitment/payment tools)?Is the platform capable of encrypting data (identifiable or otherwise)?
Amazon MTurkNot AvailableSubject identify is completely hidden--no idea if it is encrypted behind the scenes.
Cognition.RunOptionalYes - end-to-end
DjangoOptionalYes - end-to-end
GorillaOptionalYes - end-to-end, there should be similarity between GDPR by EU and IRB/HIPAA. But there is not yet any specific language tailored to IRB/HIPAA on their website.
hearXOptionalYes - end-to-end, Local data encryption at rest using AES-256 bit encryption. Secured server service via token authentication.
ispringOptionalThis is description from the company. More can be found here https://www.ispringsolutions.com/overview-of-security-processes "Data Encryption: iSpring Web Services use secure (encrypted) connection where it is possible and doesn’t affect the overall performance for end users.The following types of connections from users to iSpring Web-Services are protected by using a 256-bit SSL/TLS encryption:All sensitive data such as passwords, contact and billing information is always transferred over SSL. Non-sensitive information is transferred over plain HTTP without encryption. If content security is under concern, it is possible to turn on the option Force HTTPS that makes all connections SSL encrypted. Only encrypted connections are used to transfer data between iSpring servers:All email messages from iSpring Web Services are sent over TLS. Database replication between database servers is performed over SSL. All file transfers between storage servers are performed over SSL and SFTP."
JacotiNot Available (always de-identified)Not sure.
jspsychOptionalNo, jspsych itself doesn't encrypt anything. The server serving the experiment (separately needed) could make all traffic encrypted by using HTTPS with SSL certificates. jspsych is a front-end library. Compliance issues apply to backend logic that jspsych does not provide.
MATLABOptionalThe MATLAB web app server can be configured to use SSL encryption for participants connecting to the server. This ensures security in the data stream between the participants and the server. Data storage must be entirely managed by the experimenter and there are no configuration options in the server set-up process that modify how data are stored. Each individual matlab web app will determine how/where its data is stored. Users can elect to run the server on machine with encrypted storage ensuring that experimenter data is encrypted end to end. By default no data is saved on the participants' computers. MATLAB web apps are hosted on servers that must be run either by experimenters/labs or their institutions' research IT staff. Experimenters can work with their review boards to ensure server/data configurations comply with all required guidelines.
PART/BGC ScienceOptionalYes - end-to-end, Uploaded data are transmitted to AWS over a secure HTTPS connection.
ProlificNot Available (always de-identified)No
PsychstudioOptionalYes - end-to-end
PsyToolkitOptionalHTTPS encryption
QualtricsOptionalQualtrics uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data.
SHOEBOXRequiredYes - end-to-end, HIPAA compliant storage services
SpeakPipeOptionalNo
TabSINTOptionalNo
TeamHearingOptionalYes - end-to-end
PlatformWhat mechanisms does the platform provide for synchronous interactions between user and tester?Describe mechanisms for maintaining IRB/HIPAA compliance in synchronous interactions:
Amazon MTurkNoneNot applicable
Cognition.RunNoneNot applicable
DjangoNoneNot applicable
GorillaNone, I'm not aware of integrated synchronous communications on Gorilla. But it is possible to do it through WebEx/Teams/Zoom. But I'm unclear if reduced bandwith from synchronized interaction will affect Gorilla platform performance.In our institution (UW-Madison), only WebEx or phone is allowed as synchronous interaction with remote testing.
hearXVideo, Text Chat/IM, Video otoscopy, ability to chat with clinician within the device if online.No mention other than encryption.
ispringNoneNot applicable
JacotiNoneNot applicable
jspsychNoneNot applicable
MATLABNone, but it would be possible to build in real time communications support into the web apps, but this would likely prove to be far too time intensive to be practical for any research group.Not applicable
PART/BGC ScienceNone, but it is typical to use Zoom or other video-conferencing software to guide users through the download, setup, and testing.IRB approval is obtained to allow remote consenting and video interactions.
ProlificNoneNot applicable
PsychstudioNoneNot applicable
PsyToolkitNoneNot applicable
QualtricsNoneNot applicable
SHOEBOX https://www.shoebox.md/security-policy/ Careful detail has gone into thinking about security/HIPAA compliance.
SpeakPipeNoneNot applicable
TabSINTNoneNot applicable
TeamHearingNoneNot applicable
PlatformPlease describe any additional features related to maintenance of IRB/HIPAA compliance:
Amazon MTurkAge verification might be an issue.
Cognition.RunThe website has a data access statement that they will "neither access nor share any information that is collected in the course of your tasks."
DjangoDjango provides many out-of-the-box components for encrypting data, secure login/authentication, secure anonymous web sessions and cookies, secure forms, etc. HIPAA compliance is achievable without particular need for security/IT expertise.
GorillaThere should be similarity between GDPR by EU and IRB/HIPAA. But there is not yet any specific language tailored to IRB/HIPAA on their website.
hearXNo statements of IRB/HIPAA compliance other than safely of encrypted data. There is a centralized electronic health record management system.
ispring 
JacotiN/A Meant for direct to consumer use.
jspsychjspsych is a front-end library. Compliance issues apply to backend logic that jspsych does not provide.
MATLABMATLAB web apps are hosted on servers that must be run either by experimenters/labs or their institutions' research IT staff. Experimenters can work with their review boards to ensure server/data configurations comply with all required guidelines.
PART/BGC ScienceBGC Science was developed for maintaining secure data transfer and storage during remote testing without physically sending a device back and forth. Please contact the developers for more information. The project is NIH-funded to work directly with researchers and clinicians to create new testing approaches, so time and effort is available for this. https://braingamecenter.ucr.edu/games/p-a-r-t/
ProlificProlific allows for targeting subject recruitment based on demographic/personal information (they have a large number of pre-screening filters available), and paying participants without obtaining any identifiable information whatsoever. Given that participant data (held on external servers by the researcher) and participant identities (held by Prolific) are thus separated, IRB/HIPAA compliance becomes easy.
Psychstudio 
PsyToolkitYou have the option not to store IP address.
Qualtrics 
SHOEBOXhttps://www.shoebox.md/security-policy/ Careful detail has gone into thinking about security/HIPAA compliance.
SpeakPipe 
TabSINT 
TeamHearingAccounts can be obtained that avoid personal identifiers.
Edit - History - Print - Recent Changes - Search
Page last modified on November 14, 2020, at 02:38 PM