The George Washington University REDCap instance was established April 2021.
The following information demonstrates how REDCap hosted at GWU is HIPAA Complaint:
The GWU REDCap instance is hosted using the following infrastructure: A client facing Load Balancer that handles the external IP address and HTTP requests. The application is installed on two separate CentOS7 VMs to ensure consistent up time and service. The data is encrypted at rest and is housed within Amazon Relational Database Service on a MariaDB instance. The backup of the database is automatically scheduled within the DB but a backup is also stored in an S3 Bucket. Access to the REDCap application is restricted to GWU accounts currently via InCommon, but the Single Sign On process can be expanded to other organizations and educational institutes that use InCommon. Once authenticated using InCommon’s Shibboleth process an account to the REDCap instance must be requested and authorized per project.
You can read GWU's REDCap full PHI safety data document here
More information on how GWU follows HIPAA guidelines can be found here