Skip to main content Skip to secondary navigation
Peter Wegner, ''Monument to Change as It Changes"

If your question is not addressed here, please request a consultation.


Main content start

What are the common research regulations?

For typical research, the one stop shop is often the Research Compliance Office (RCO). Researchers must first submit an eProtocol. Depending on the nature of the protocol, the IRB will request the researcher to follow specific steps. Once all IRB required steps are completed, you can request access to data. If you are sharing data with non-Stanford researchers, there are other procedures. 

Learn more about Stanford guidelines and procedures

What if the data I need is not easily available through University tools?

If you are requesting access to specific Hospital applications, including EPIC, for the purpose of research,  first follow IRB requirements and sign the Data Privacy Attestation.  In your IRB Protocol, navigate to the “Confidentiality Protections” section and click the link marked “Data Privacy Attestation” that appears in the question description.  If you have a Chart Review protocol, this will be section 3a.  If Expedited Medical, it will be section 11b.  Please take a copy of your IRB approval, any additional IRB required attestations, Data Privacy Attestation, and if applicable, the EHR access privilege memo that indicates the data you need is not readily available through University tools and reach out to the SHC/SCH Compliance and Privacy Office at and provide them with a copy of these documents so that they can assist you in obtaining the data requested in a compliant manner. 

Do I need a Data Risk Assessment (DRA)?

STARR data is patient data. Patient data is sensitive data. It is either High Risk PHI or High Risk (not PHI) and is a few cases Moderate Risk. If you are receiving data from Research IT or Research Informatics Center and your workflow is strictly limited to Nero computing, SoM Box, REDCap and Stanford encrypted laptops, you do not need a DRA. These workflows are pre-approved. If the STARR data in de-identified, it can be Moderate Risk or High Risk. It is High Risk when the de-identified data contains clinical notes or DICOM images. If your data is a Limited Data Set, it is High Risk PHI. To learn more about risk classifications, please visit Risk Classification website.

The Data Risk Assessment is per dataset and research access workflow.  If you are not sure or you have any doubts, submit a DRA application. In most cases, the DRA review results in a recommendation that the underlying systems and workflows need to meet minimum privacy requirements and minimum security requirements. You are responsible for meeting these requirements.

Is there a shared computation environment that I can use?

Patient data, even when it can be de-identified, is highly sensitive. When combined with public data, de-identified data can be re-identified. Stanford UPO determines that PHI scrubbed DICOMs and clinical text contain incidental PHI. In any case, loss of patient data can lead to privacy breach or identity loss for patients. Stanford Privacy Office determines that certain types of patient data are Moderate Risk and others are High Risk or PHI. Stanford Research Computing supports shared computing resources for Stanford researchers. These resources are suited to different data risk classifications.

  • Nero or Carina: This is the preferred environment when working with patient data. Nero Cloud and its on-premise counterpart, Carina, are High Risk and HIPAA-compliant shared computing infrastructure and suitable for researchers using PHI or PHI scrubbed unstructured data such as clinical notes or DICOM images.
  • Sherlock and SCG: Sherlock is a Moderate Risk compliant shared computing infrastructure with on-premise High Performance Computing system. This environment is suitable for researchers using structured and de-identified EHR data. Researchers who are working with genomics data may find SCG particularly useful. Both these systems are also NIH dbGaP compliant. Please make sure your STARR dataset is classified Moderate Risk before using Sherlock or SCG. If you are not sure, consult with University Privacy Office or Information Security Office or Stanford Research Computing team before using Sherlock or SCG. 

Is there a cost of getting access to STARR data?

Where self-service tools are insufficient, researchers can request appropriate data via a consultation service. Research IT and Research Informatics Center collaborate to help researchers acquire patient data that are not available in STARR self service tools or in STARR. The first hour of consultation service is subsidized by SoM Dean's office. Some of the subsequent services continue to be subsidized. The researcher will be advised of the costs during the consultation process.

Request a consultation

How do I acknowledge STARR?

If you have used any of the self-service tools, office hours or consultation services, Office of the Senior Associate Dean for Research (SADR) would like the research community to use the following acknowledgement:

“This research used data or services provided by STARR, “STAnford medicine Research data Repository,” a clinical data warehouse containing live Epic data from Stanford Health Care, the Stanford Children’s Hospital, the University Healthcare Alliance and Packard Children's Health Alliance clinics and other auxiliary data from Hospital applications such as radiology PACS. STARR platform is developed and operated by Stanford Medicine Research Technology team and is made possible by Stanford School of Medicine Research Office.”

How do I cite STARR publications?

Depending on the services used, you will either cite peer-reviewed publications or our preprint manuscripts. Our publications are listed here. NIH provides guidelines on how to cite preprints .

How do I acknowledge STARR staff contributions?

For use of self-service tools, office hours and consultation, please acknowledge STARR. To acknowledge custom data services provided by individual Research IT or Research Informatics Center staff, we request that you use CRediT (Contributor Roles Taxonomy) in your publications: