Stanford
University Privacy Office

Data Privacy Attestation (DPA)

Stanford DPA FAQs/Guidance for Researchers

The Stanford Research Repository, or STARR, is Stanford Medicine’s approved resource for use of clinical data for research purposes.  To obtain data from STARR, researchers must complete a Data Privacy Attestation (DPA).  The DPA review ensures that the Institutional Review Board (IRB) protocol allows for the use and disclosure of the data elements requested in the DPA.

Data Privacy Attestation Guidance:

  • Ensure the data elements requested on your DPA are consistent with what are listed in your IRB protocol section 1b, section 3a, OR section 11b (depending on the type of protocol).
  • If data will be requested/used from STARR and other sources (e.g., Epic, other research databases, or after obtaining HIPAA authorization), in your IRB protocol (section 1b, 3a, OR 11b), specify what data is being requested from STARR vs. other sources.
  • Follow the minimum necessary principle by selecting only what is necessary to accomplish the goals of the project from the list of data elements in the DPA.
  • For chart reviews, do not request data under “recruitment” on the DPA as recruitment is not permitted for a chart review. 
  • Ensure data elements requested under “Disclosures outside Stanford” are also requested under “Internal use at Stanford” on the DPA. The data disclosed outside of Stanford must be a subset of the data obtained internally.
  • If “Clinical Narratives” or “Medical Record Numbers” are requested for disclosures outside Stanford, please follow the steps outlined in the FAQs section to ensure your DPA is approved. 
  • If “Social Security Numbers” (SSNs) are requested, please follow the steps outlined in the FAQs section to ensure your DPA is approved.  For research payment purposes, obtain SSNs directly from the participants instead of getting them from STARR.
  • If “Hospital Cost Data” is needed, NO DPA is needed. The Principal Investigator should contact the Hospital Privacy Office at complianceofficer@stanfordhealthcare.org for permission to access such data.  The University Privacy Office does not have approval authority for this data. 
  • For more general information on DPAs, please refer to Stanford Medicine's DPA web page

DPA FAQs:

Q: What do I need to do to ensure my Data Privacy Attestation (DPA) is approved?

A:  

  1. Ensure the data elements being requested on the DPA are consistent with what is listed in your IRB protocol section 1b, section 3a, OR section 11b (depending on the type of protocol).
  2. Follow the minimum necessary principle by selecting only the minimum necessary information needed to accomplish the goals of the project from the list of data elements in the DPA.
  3. If data will be requested/used from STARR and other sources (e.g., Epic, research databases, or after obtaining HIPAA authorization), in your IRB protocol (section 1b, 3a, OR 11b), specify what data is being requested from STARR vs. other sources.
  4. Ensure data elements requested under “Disclosures outside Stanford” are also requested under “Internal use at Stanford” on the DPA. The data disclosed outside of Stanford must be a subset of the data obtained internally.
  5. If “Clinical Narratives” or “Medical Record Numbers” are requested for disclosures outside Stanford, proactively open a ServiceNow ticket with the University Privacy Office and provide the justification for the requested data element(s). If authorization is provided from the University Privacy Office on the ticket, submit the DPA for approval. 
  6. If “Social Security Numbers” are requested, proactively open a ServiceNow ticket with the University Privacy Office and provide the justification for the use of Social Security Numbers. If authorization is provided from the University Privacy Office on the ticket, submit the DPA for approval.  For research payment purposes, obtain SSN’s directly from the participants instead of getting them from STARR.
     

Q: Who do I contact if I have questions on my DPA or the DPA process?

A: The University Privacy Office is responsible for processing DPA requests and is the department to contact for any DPA related questions. To contact the University Privacy Office, please open a ServiceNow ticket.


Q: What should I do if I need to request “Hospital Cost Data” on my DPA?

A: The University Privacy Office does not approve requests for Hospital Cost Data. The Hospital Privacy Office is the approval authority for hospital cost data. If hospital cost data is required, NO DPA is needed.  Please have the investigator contact the Hospital Privacy Office at complianceofficer@stanfordhealthcare.org for access and permission.


Q: What should I do if I need to request “Social Security Numbers” on my Data Privacy Attestation?

A: The University Privacy Office does not generally approve requests for Social Security Numbers (SSN) from STARR and requires specific justification on the need for such. If SSN data is required, please provide an explanation to the University Privacy Office by opening a ServiceNow ticket and inlcude the following information:      
  a) associated IRB Number
  b) reason why SSNs are necessary
The University Privacy Office will review the justification provided and inform you if this use has been approved. If authorization has been provided by the University Privacy Office on the use of SSNs, please submit your DPA for approval. 


Q: What should I do if I need to request “Medical Record Numbers” to be disclosed outside of Stanford on my Data Privacy Attestation?

A: The University Privacy Office does not generally approve requests for Medical Record Numbers (MRN) to be used in disclosures outside of Stanford and requires specific justification on the need for such. If MRN data is required, please provide an explanation to the University Privacy Office by opening a ServiceNow ticket and inlcude the following information:      
  a) associated IRB Number
  b) reason why MRNs are necessary
The University Privacy Office will review the justification provided and will inform you if this use has been approved. If authorization has been provided by the University Privacy Office on the use of MRNs, please submit your DPA for approval. 


Q: What should I do if I need to request “Clinical Narratives” to be disclosed outside of Stanford on my DPA?

A: The University Privacy Office does not generally approve requests for Clinical Narratives to be used in disclosures outside of Stanford and requires specific justification on the need for such. If Clinical Narratives are required, please provide an explanation to the University Privacy Office by opening a ServiceNow ticket and inlcude the following information:      
  a) associated IRB Number
  b) reason why Clinical Narratives are necessary
The University Privacy Office will review the justification provided and will inform you if this use has been approved. If authorization has been provided by the University Privacy Office on the use of Clinical Narratives, please submit your DPA for approval.