Skip to main content Skip to secondary navigation
Main Quad, palm trees, Hoover Tower

Regulatory processes around using patient data for research are complex and depend on nuances of what you are trying to do.

Guidelines and procedures

Main content start

Relevant Stanford Offices:

  • Research Compliance Office or RCO (link): If you are a researcher, RCO is often your first stop. Among other things, learn about IRB, Human Subject Research, QA/QI and eProtocol.
  • Industrial Contracts Office or ICO (link): Are you data sharing with industry and/or getting funded by them? For example, they will help with the contract and data sharing agreement.
  • Industry Relations and Digital Health or IRDH (link): This division supports strategic partnerships with industry. 
  • Office of Technology Licensing or OTL (link): They manage IP arising out of research at Stanford. For example, they will help you file a patent.
  • Information Security Office or ISO (link): They are our security experts. They propose guidelines (e.g., dataclass or minsec), support other offices on complex policies and provide services (e.g., Data Risk Assessment) and investigate security breach. 
  • University Privacy Office or UPO (link): They are our privacy experts. They propose institutional guidelines (e.g., HIPAA, GDPR), develop training content, support other offices on complex policies and provide services (e.g., Data Risk Assessment) and investigate privacy incidents. UPO staff are looped in by RCO, ICO and other groups as needed. 
  • Research Management Group or RMG (link): Services like OSR, except if you are at SoM, start with RMG.
  • Office of Research Administration or ORA (link): They are the research administrative unit who support other offices with policies and tools.  Their Data Use Agreement (DUA) decision tree is excellent. See below.
  • Office of General Counsel or OGC (link): OGC office staff are our legal experts. The OGC staff are pulled in by RCO, ICO, OTL, ISO and UPO when the research data sharing and policy questions are complex.


  • Privacy and security of health information (link): Relevant portion of Stanford administrative guide when working with HIPAA data.
  • Stanford Data Risk Classifications aka dataclass (link): What are Low Risk, Moderate Risk and High Risk data classifications? Most patient data are Moderate Risk or High Risk. PHI is a type of High Risk data.
  • Stanford Minimum Security Standards aka minsec (link): What are data security guidelines for Low, Moderate and High Risk data? This is one of the best online resources in the world to understand security for IaaS, SaaS, applications and endpoints. 
  • Stanford Minimum Privacy Standards aka minpriv (link): Minimum privacy standards for the collection, processing, transfer, deletion and other use of personal data at Stanford.
  • Data Management Plan or DMP (link): A DMP is required by your funding agency and is a document that describes the data used in your research and its management for the duration of the research.

Common definitions and best practices

  • Stanford Affiliated Covered Entity (link): Note that Stanford affiliated covered entities include our Hospitals, our healthcare alliances and Stanford University HIPAA Components (SUHC).
  • HIPAA Privacy Policies (link):
    • Stanford Policy H-02: This document sets forth definitions of key terms that are frequently used in SUHC HIPAA Privacy policies. Among others, look for terms such as Business Associate, ePHI, Limited Data Set, Genetic Information, and Health Care Operation.
    • Stanford Policy H-13:  H-13 is the policy for Minimum Necessary Use and Disclosure of, and Requests for, Protected Health Information (PHI). The purpose of this policy is to explain how workforce members of the SUHC must make reasonable efforts to limit their use or disclosure of PHI or requests for PHI from an outside party to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
    • Stanford Policy H-15: H-15 is the policy for Use and Disclosure of Protected Health Information. The purpose of this policy is to provide guidelines to the members of the SUHC workforce regarding uses of protected health information (“PHI”) within the Stanford Affiliated Covered Entity and disclosures outside of the Stanford affiliated covered entity.
      • Appendix A: De-Identification of Health Information under HIPAA. Research IT also recommend the complete de-ID guide and NIST best practices.
      • Appendix B: Use and Disclosure of Mental Health Information
      • Appendix C: Use and Disclosure of Substance Abuse Records
      • Appendix D: Use and Disclosure of HIV Test Information
      • Appendix E: Assault and Abuse Reporting to Authorities
      • Appendix F: Disclosure of Information Pursuant to an Authorization by a Minor
      • Appendix G: Limited Data Sets

Processes that impact your access to STARR data

  • Data Use Agreement or DUA (link): Required for data sharing. The DUA decision tree is maintained by ORA and is comprehensive. If you need a DUA, you will have one or more options depending on what you are sharing:
    • ICO: If your research will involve collaborating with or you will receive funding from industry.  
    • OSR: If your research involves federally funded grants and awards as well as non-funded collaborations with other institutions.
    • RMG: If your research involves non-federal clinical trials and clinical research. 
  • HSR determination (link):  Is this research? Is this human subject?  In modern research, the boundary between QI and academic research can appear blurry. The determination is made by RCO.
  • Data Risk Assessment or DRA (link): Is your research workflow meeting the minsec guidelines? Needed for High Risk data. If you are using a server under your desk or sharing data with industry, or using a vendor platform, expect to spend some time going through DRA.
  • Data Privacy Attestation or DPA (link): It is an individual level attestation for STARR data access. This is applicable for pre-IRB (e.g. STARR-OMOP-deid) as well as post-IRB access (e.g., STRIDE chart review).