Research involving apps, websites, and wearables

Access guidance for building health apps intended for use in research or patient care. 

Researchers should gather the following information in preparation for early conversations with support groups at Duke:

BASIC CHECKLIST

• Who is paying for the app development? 
• Who will build the app?
  • If not Duke, are they an approved vendor? [If not, expect the process to take longer!]
• Has the app previously been reviewed by either of the Duke Information Security Offices? 
• How (or will) will the app be used by research participants?
• Where will the app live? (personal device, sponsor device, cloud hosted, etc.)
• What kinds of device permissions will be required? (e.g., access to the camera, microphone, storage, etc.)
• Who will maintain the app after it launches?  Has that been budgeted?
• Will the app be collecting and/or transmitting data?
  • Where will the data be stored?
  • Will the data be subject to any specific regulations (HIPAA for patient data, FERPA for student data, etc.)?
  • How will the data be transmitted?
• Will the app be Duke branded?

DOCUMENTS TO HAVE AVAILABLE

• Contract with the sponsor or app builder (if applicable)
• Consent form (suggested language here for DUHS IRB)
• Prior approvals for use of the app at Duke (if applicable)

Researchers should gather the following information in preparation for early conversations with support groups at Duke:

BASIC CHECKLIST

• Who is paying for the website development? 
• Who will build the website?
  • If not Duke, are they an approved vendor? [If not, expect the process to take longer!]
• Has the ISO or ITSO run a security scan on the website?
• How will participants access the website?  Is it secured in some way?
• Where will the website be hosted?
• What kinds of permissions will be allowed?
• Who will maintain the website after it launches?  Has that been budgeted?
• Will the website be collecting and/or transmitting data?
  • Where will the data be stored?
  • Is the data subject to any specific regulations (HIPAA for patient data, FERPA for student data, etc.)?
  • How will the data be transmitted?  Does it need to be protected?
• Will the website be Duke branded?

DOCUMENTS TO HAVE AVAILABLE

• Contract with the sponsor or website builder (if applicable)
• Consent form (suggested language here for DUHS IRB)

Researchers should gather the following information in preparation for early conversations with support groups at Duke:

BASIC CHECKLIST

• If this is a medical device, have you engaged ORAQ and/or Engineering?
• Who purchased the wearable or technology (e.g., is it participant-owned, purchased by Duke, purchased by sponsor, etc.)?
• Who is responsible for maintaining the wearable or technology? Are regular security updates available?
• How will the wearable or technology be set up?  By whom?
• What kinds of permissions will be allowed?  Does the wearable access personal devices (e.g., the participant’s phone or watch?)
• Will the wearable or technology be collecting and/or transmitting data?
  • Where will the data be stored?
  • Is the data subject to any specific regulations (HIPAA for patient data, FERPA for student data, etc.)?
  • How will the data be transmitted?  Does it need to be protected?

DOCUMENTS TO HAVE AVAILABLE

• Contract with the sponsor or technology provider (if applicable)
• Terms of Use/Privacy Statement
• Consent form (suggested language here for DUHS IRB)