To receive data derived from patient care at UCLA you will need IRB approval and Compliance approval, unless the data is de-identified. The specific requirements for different types of studies are provided in the tabs below. However, in general, we recommend the following steps:
Additional requirements depend on whether your study involves direct patient contact. For studies involving direct patient contact, requirements differ based on whether patients involved have given consent for use of their medical record data. For studies that do not involve direct patient contact, an important distinction is whether chart review is required. Find the tab for your study type below and follow the specific instructions. If your study involves activities in more than one category, please follow the instructions for all applicable categories.
There are two major study categories that involve direct patient contact: screening health record data for possibly-eligible patients vs. obtaining health record data for patients already consented and enrolled in a study.
UCLA health record data can be searched for patients who meet study eligibility criteria. These patients can then be contacted about study participation, either through a UCLA health care provider with whom they have a relationship, or in some cases by an investigator. If they study involves significant risk, then a provider or an independent recruitment service may need to be involved. The UCLA IRB determines the acceptability of proposed recruitment methods.
Follow the specific instructions below to complete data requests for studies that use health records for recruitment purposes.
If the participants have signed the UC HIPAA Research Authorization Form Form when they are enrolled in your study, we can help you to collect additional data under HIPAA Authorization, e.g. lab test results, problem lists, etc.
Follow the specific instructions below to obtain data for your consented patients.
Studies based entirely on health record data, without any direct patient contact, can often receive expedited review, or if only de-identified data is requested, may not need IRB approval at all. In general, studies should request the minimum data needed to answer the research questions. Please consider which category of data will be necessary for your study: de-identified, limited data set, identified data without chart review, and identified data including chart review. Select the most limited category of data that will suffice for your study and then follow the instructions for obtaining the necessary approvals.
Many studies can be completed using only data from discrete health record fields WITHOUT using any personal identifiers or “protected health information” (PHI), as defined in HIPAA rules. The main challenge in using de-identified data is that dates (more detailed than the year) are considered PHI. Patient addresses are also PHI (except for the first 3 digits of ZIP Codes), and free-text notes or reports are considered to potentially include PHI. If your research question can be answered without using PHI, you should request a de-identified data set. Studies that are preparatory to future research should often fall into this category.
Studies that require actual dates of service and/or 5 digit zip codes, but that don’t need other personal identifiers and don’t need free-text notes or reports may request a “limited data set,” which is de-identified except for the potential inclusion of service dates and/or 5 digit ZIP Codes. There are alternatives to using actual dates -- using dates relative to some patient-specific event (e.g. tagging events using the days since the patient's first office visit), or by using dates that are offset for each patient by a random number of days up to a year. However, the data set will still be considered "limited" (not de-identified) with these methods. It should be noted that the service dates and ZIP Codes in limited data constitute PHI, and if this data is compromised, UCLA Health is required to formally assess the potential for re-identification, and breach notification to patients may be required.
Studies that need to make use of use patient identifiers and/or free-text notes or reports, but that don’t require human review of the full medical record, should request an identified data extract.
If your study requires human review of the full patient record, you can request extraction of a list of patients from the electronic health record who meet specific inclusion criteria. Additional discrete variables can also be extracted for these patients to help minimize the work required in chart abstraction.
The Biomedical Informatics Program (BIP) will also facilitate these requests as “honest broker” and will provide our Compliance review and consulting services. These services include assistance in navigating IRB and Compliance approval requirements, drafting required Compliance approval forms, and managing communication with data programmers from other teams.
IP will review the IRB application and approval notice while checking that Compliance requirements are met in terms of study data elements, data security/privacy concerns, and data storage. During this IRB review, IP will also draft the requisite Compliance paperwork on behalf of the investigator. This paperwork is required for Compliance approval.
The documented, consistent workflow employed by IP will expedite the process of obtaining Compliance approval required for patient data: If there are any potential data privacy or security issues with the IRB, IP may ask the investigator to amend the IRB application. In this instance, IP will provide a detailed list of amendments to the investigator so that Compliance requirements can be met. For standard data requests in which there are no data privacy or security issues, IP is authorized by the Office of Compliance Services (OCS) to sign off on Compliance approval. For situations in which there may be higher risk involved in releasing data, IP will arrange for a consult and approval by OCS.
Once Compliance approval has been obtained, IP will coordinate with the programmers from the other teams on data extraction and delivery.