Data Privacy Attestation

The STARR IRB requires each person working with clinical data for research purposes to obtain formal permission from the University Privacy Office, due to the sensitive nature of the data and the high risk to the institution of working with PHI.


If you are still in the preparatory to research phase, you can provision yourself a chart review up to 50 de-identified charts, available for 90 days.


If you are conducting research, you must have an approved Internal Review Board (IRB) protocol with associated primary Data Privacy Attestation (DPA). To find out whether your project is considered research, you must contact the IRB. The process to create a new or revise an existing primary attestation is described below


If you are engaged in clinical quality improvement or other activities not considered human subjects research, you must obtain a determination of human subjects research (QI/QA) from Stanford's Internal Review Board (IRB). With that determination you can then complete a Data Privacy Attestation (DPA).  


If you are joining an already active research program with approvals in place, you must still complete an attestation; this is referred to as an Add-On Attestation, and contains all the same personal attestation statements as the primary attestation.

How to check your DPA status

How To Complete or Revise a Primary Data Privacy Attestation

Start by Contacting the IRB

If when you contact the IRB they determine that you are not conducting research, they will give you an official notification known as a Determination of Human Subjects Research. This determination does not obviate the need for a data privacy attestation; please follow these instructions on how to complete a Data Privacy Attestation with HSR determination.

For instructions on how to open a new IRB Protocol, please refer to our step by step instructions on creating a new chart review protocol

For instructions on how to add a new DPA to an existing IRB Protocol, please see our guide on opening a protocol modification

For instructions on how to modify an existing DPA, please see our guide on updating your DPA

Step 1 - Locate the Data Privacy Attestation Link in eProtocol

In your IRB Protocol, navigate to the "Confidentiality Protections" section and click the link marked "Data Privacy Attestation" that appears in the question description. If you have a Chart Review protocol, this will be section 3a. If Expedited Medical, it will be section 11b.

Note that while there is now electronic linkage between eProtocol and the Data Privacy Attestation (DPA), the approval for these two documents come from two distinct campus organizations. You need to obtain approval for the DPA form from the Privacy Office. Approval for your eProtocol comes from the Research Compliance Office.

When you click on the "Data Privacy Attestation" link in eProtocol, you are now editing a DPA associated with your IRB.

If you are modifying an existing protocol, you may need to click the "Edit" button at the top of the page to open up the survey.

Step 2 - Complete the Data Privacy Attestation

The first few selections in the form will auto-populate. You will then be prompted to specify whether or not you are working with PHI. If you plan to work with PHI, please clearly document all planned PHI use, and please bear in mind the principle of HIPAA Minimum Necessary when designing your protocol. For example, you could document in the DPA that you will be working with MRNs, names, dates, phone numbers and addresses, but describe in the study procedure section of the IRB how all PHI will be kept sequestered in a separate dataset for infrequent use as needed for data validation or clinical followup, and that the statistical analysis will be conducted on de-identified data.

The next section prompts you to specify what types of clinical data you will be working with. As noted in the diagram below, the form prompts you to clearly explain your intended use case for each type of clinical data, and certain choices may trigger additional compliance requirements or scrutiny. Also please note that not all of these data are currently available in the online chart review tool. Refer to our detailed clinical research data inventory for more information.

Note that clinical documents and procedure reports are considered high risk even when de-identified. This is due to the risk of incidental PHI slipping through the automatic de-identification process. The only 100% reliable way to guarantee that no PHI is present in narrative documents is to ask a person to read each document carefully.

By the same token, radiology images are considered high risk even after de-identification, due to the risk of PHI burned into the image itself. The de-identification process only reliably removes PHI in the image header.

Step 3 - Save and bookmark the form

Once the Data Privacy Attestation form has been submitted, a “receipt” form will be generated. It is best to bookmark this page as there is an edit feature and an add-on feature allowing for the research team to add themselves to the primary attestation you have just created, once all approvals are in place.

Step 4 - Waivers of Consent/Assent & Authorization

A waiver of Consent AND a waiver of HIPAA authorization are required for all medical chart reviews. A waiver of assent is also required for chart reviews which access the information of patients aged 18 and under. Go to Protocol Information → Page 5 (page 15 on an expedited medical protocol) → “Add”

The “Data Elements” listed in the waiver of HIPAA authorization must match those listed in section 3a (11b) and those checked off in the Data Privacy Attestation (DPA) form.

Step 5 - Submit, and wait for Privacy Office Approval of the DPA (~1 week)

Once complete, submit your protocol for joint review by both the Privacy Office and the IRB. This is a two-step process, with Privacy approval coming first. If you are working with high risk data or plan any disclosures, they may ask you to adjust the language in your protocol to make it clearer what processes you are putting in place to protect data privacy and confidentiality. You can expect to hear back from the Privacy Office in about a week.

Step 6 - Respond to IRB request for comment

Once you get the email from the Privacy Office, you must go back to eprotocol and respond to the request for comments that you will find in your "Action Items" list. Respond to the comment saying that you have received approval for the DPA.

Don't forget to click the "Submit to Manager" button in the upper right.

Step 7 - Wait for IRB approval (~1-2 weeks)

Once you have submitted your comment to the IRB that you received Privacy Office approval, your protocol is ready for review and approval by the Research Compliance Office. It typically takes between 1-3 weeks total to receive approval of a newly submitted research protocol.

Step 8 - Chart Review (optional but highly recommended)

Once you have both Privacy Office and IRB approval you can save your patients lists for later review in the STRIDE Chart Review Tool.

Add-on Attestations

Part of the process of saving your patient list for chart review involves specifying SUNetIDs of persons other than yourself who will also be conducting chart review on these patients records.

Every person who wants to use the Chart Review Tool to review clinical data for research must have their own personal Data Privacy Attestation. This is where the bookmark from Step 3 comes in handy - visit that bookmark, open the approved DPA for your project, and click the button marked "Invite Collaborators to Attest".  Then send that email to everyone who you listed when creating the patient cohort for review.

If you didn't bookmark the link, not a problem. You can always find it on your personal dashboard of Data Privacy Attestations.

Once your collaborator has completed the "Add-on" data privacy attestation, they will be able to log into the Chart Review tool and see the cohort you have created.