Obtaining Identified Clinical Data for Research
You only need to complete this process once per IRB protocol, unless your data requirements expand beyond the original scope of an approved protocol.
The process for obtaining Protected Health Information has five steps.
Create or Modify an IRB Protocol
In order to obtain or review identified clinical data for research purposes you must have an approved IRB protocol.
In Step 3 you will be asked to supply a protocol number; this number will be used by the Privacy Office to call up your protocol for review in Step 4.
If you have already have a protocol, proceed to Step 2.
To create a new protocol at Stanford, browse to https://eprotocol.stanford.edu/mydashboard and click on the "Create Protocol" button on the right, part way down the page.
This will give you the IRB Protocol number required in Step 3.
Note that if you have a protocol from outside Stanford you do not also need to create a Stanford protocol, you can simply upload your outside protocol in Step 3.
Talk to us
Step 3 also requires an "SCCI Case Number", which is how we will tie the approval back to our record of your project. Chances are if you're reading this page you have already reached out to us and already have a Case number. In this case, you can proceed to Step 3.
If you have not yet done so, please use our online consultation services request form to contact us, describe to us your research study, and obtain a consultation "Case number" from us.
Complete the IRB Worksheet and Obligations Attestation
Use our online tool to specify the PHI and roughly categorize the clinical data in your data request. This tool generates text suitable for inclusion in your IRB privacy and confidentiality sections (sections 11b and 15a, or 3 and 5 for chart review protocols).
Paste the generated text into the appropriate two sections (11b/15a or 3/5) of the IRB protocol you are using to cover the activity of using identified clinical data for research. If you already have text in these sections you should append the newly generated text, but be sure there no discrepancies in the result.
When you complete this form for the first time you are not yet ready for Privacy Office review, so you will supply "No" as the answer to the "Ready for Privacy Review" question on page 2. You will later re-visit this page and modify the answer to this question, once you reach Step 5.
Once you have saved the generated block of text for inclusion in the confidentiality and privacy sections of your protocol, go to the next page of the survey to complete a section documenting your obligations regarding data privacy and security.
Wait for IRB Approval
The IRB must approve your protocol before you can reference it in your data use and disclosure application to the University Privacy Office.
Initiate Privacy Review
In order to use identified clinical data for research purposes, the University Privacy office reviews three documents:
- your statement of acceptance of your data privacy and security obligations,
- your formal application for access to data (the IRB Worksheet) and
- the language in the IRB protocol referenced in the application.
If there are inconsistencies in the language in the IRB Worksheet and the IRB Protocol, the application will be rejected.
Once your IRB protocol containing the language generated in Step 2 has been approved and you have also completed the attestation described in Step 3, you are ready for Privacy Review. To trigger this review, re-open the worksheet and change your answer from "No" to "Yes". This will send the University Privacy the the data access request (the IRB Worksheet) and its supporting documentation (the attestation and the IRB protocol).
Congratulations, you're done!
If the data request and the wording in both sections 11b & 15a (or 3 & 5) of your IRB all match with each other, you will be notified by the University Privacy Office that you may now use and/or disclose the data for your research.
Please bear in mind that you are not permitted to redistribute the data set to other researchers for their research, nor are you permitted to use this data yourself for a different research project. The permissions to use the data are tied to the research project described in your IRB protocol.
What to do if Privacy denies my request?
If your application is denied, you generally have two options:
- Modify your IRB to bring it into concordance with your data request,
- Modify your data request to bring it into concordance with your IRB.
If you decide to pursue option 1, you need to let us know when the modification has been approved, so we can modify your original application to trigger a submission for re-review.
If you decide to pursue option 2, you can update your worksheet yourself, but as with option 1 you will need to notify us when you have done so, so we can then modify the record to trigger a re-review by Privacy.
Please know that you have our sincerest thanks for the time and attention you have devoted to ensuring that the intended use of this highly sensitive data is fully and accurately documented.
Also please bear in mind that you are not permitted to redistribute the data set to other researchers for their research, nor are you permitted to use this data yourself for a different research project. The permissions to use the data are tied to the research project described in your IRB protocol.