We do not support your browser. Please take a moment and upgrade to the most recent version of Internet Explorer.
Researcher Resources

Obtaining Medical Record Data to Conduct Your Research

*****NOTICE: We are now charging for our services. Please see the Cost Information tab below for our rates.*****

To receive data derived from patient care at UCLA you will need IRB approval and Compliance approval, unless the data is de-identified. The specific requirements for different types of studies are provided in the tabs below. However, in general, we recommend the following steps:

  1. Obtain a Data Consult - Talk to us first. We help with all aspects of data requests for research purposes. Click here to request a consult online at intranet.ctsi.ucla.edu.

  2. Obtain IRB approval - To ensure that IRB-approved procedures are followed, we will need copies of your IRB approval letter, and your complete, currently-approved IRB application.

  3. Obtain Compliance approval - Unless you are using de-identified data (as defined below), UCLA Compliance will need to approve your data security plans, after the plans are signed by your department's chair or chief administrative officer. We'll draft the Compliance review forms based on your IRB application, which you can then take for signatures. 

  4. Data extraction and delivery - Data can be delivered securely in a variety of ways. Populating a REDCap database is a preferred method, but we can also deliver data in Excel files and by other means.

Additional requirements depend on whether your study involves direct patient contact. For studies involving direct patient contact, requirements differ based on whether patients involved have given consent for use of their medical record data.  For studies that do not involve direct patient contact, an important distinction is whether chart review is required. Find the tab for your study type below and follow the specific instructions. If your study involves activities in more than one category, please follow the instructions for all applicable categories.

There are two major study categories that involve direct patient contact: screening health record data for possibly-eligible patients vs. obtaining health record data for patients already consented and enrolled in a study.

Screening UCLA Health Record Data for Purposes of Recruiting Eligible Patients

UCLA health record data can be searched for patients who meet study eligibility criteria. These patients can then be contacted about study participation, either through a UCLA health care provider with whom they have a relationship, or in some cases by an investigator.  If they study involves significant risk, then a provider or an independent recruitment service may need to be involved. The UCLA IRB determines the acceptability of proposed recruitment methods.

Follow the specific instructions below to complete data requests for studies that use health records for recruitment purposes.

  • IRB application: In section 17.1, item 1.0, check off “A Waiver of HIPAA Research Authorization is requested for screening using UC medical records.” In section 9.2, item 5.0, check off “The data and/or specimens will be directly labeled with personal identifying information when acquired by the investigator for this research directly labeled.” We recommend consulting with us prior to submitting your IRB application to avoid needing an amendment to meet data specification or data security requirements.
  • Data elements: Check off all desired data elements using our template.
  • Compliance: Because you will be receiving data derived from protected health information (PHI) your data security measures will need approval from UCLA Compliance. Based on the data security measures specified in your IRB application, we will draft the Compliance "Request to Interface or Download" form on your behalf. The form then needs to be signed by the data requester and their departmental Chief Administrative Officer, accepting responsibility for maintaining the data protections specified in the form.
  • Data Delivery: We recommend using REDCap. We can set up automatic extraction of eligible patients into REDCap.
  • Contact: Depending on the risk of the study and the potential privacy threat, investigators may or may not be allowed to contact potential subjects directly. Alternatives include using an independent "honest broker" service or recruiting patients through their providers.

Obtaining UCLA Medical Record Data with Patient Authorization

If the participants have signed the UC HIPAA Research Authorization Form Form when they are enrolled in your study, we can help you to collect additional data under HIPAA Authorization, e.g. lab test results, problem lists, etc.

Follow the specific instructions below to obtain data for your consented patients.

  • IRB application: In section 17.1, item 1.0, check off “All UC participants will sign a UC HIPAA Research Authorization for Release of Personal Health Information for Research."
  • Data elements: Check off all desired data elements using our template.
  • Compliance: Because you will be receiving data derived from protected health information (PHI), your data security measures will need approval from UCLA Compliance. Based on the data security measures specified in your IRB application, we will draft the Compliance “Request to Interface or Download” form on your behalf. The form then needs to be signed by the data requestor, and their departmental Chief Administrative Officer, accepting responsibility for maintaining the data protections specified in the form.. 
  • Data Delivery: We recommend using REDCap. We can set up automatic extraction of eligible patients into REDCap.
  • Patient Authorization: All patients seen at UC medical centers will sign a UC HIPAA Research Authorization for Release of Personal Health Information for Research when they are enrolled in a study. We will need to check what is included in the HIPAA authorization to release data. Any PHI that will be disclosed should be under a HIPAA Authorization, and the HIPAA Authorization overrides whatever may be detailed in the IRB Application. Please send us an example of a signed HIPAA Authorization Form with redaction.

Studies based entirely on health record data, without any direct patient contact, can often receive expedited review, or if only de-identified data is requested, may not need IRB approval at all. In general, studies should request the minimum data needed to answer the research questions. Please consider which category of data will be necessary for your study: de-identified, limited data set, identified data without chart review, and identified data including chart review. Select the most limited category of data that will suffice for your study and then follow the instructions for obtaining the necessary approvals.

De-identified, Structured Data Extracted from UCLA Health Records

Many studies can be completed using only data from discrete health record fields WITHOUT using any personal identifiers or “protected health information” (PHI), as defined in HIPAA rules. The main challenge in using de-identified data is that dates (more detailed than the year) are considered PHI. However, there are de-identified alternatives to using actual dates -- using dates relative to some patient-specific event (e.g. tagging events using the days since the patient's first office visit), or by using dates that are offset for each patient by a random number of days up to a year. Patient addresses are also PHI (except for the first 3 digits of ZIP Codes), and free-text notes or reports are considered to potentially include PHI.  If your research question can be answered without using PHI, you should request a de-identified data set. Studies that are preparatory to future research should often fall into this category.

  • IRB application: The UCLA IRB considers research involving de-identified data sets to be not human subjects research. However, de-identified data can still represent sensitive information for UCLA Health. Thus, to document the researcher’s intent and commitment to use de-identified patient data for a specific research purpose, researchers are asked to submit a brief IRB application in order to obtain a determination from the IRB that the study does not represent human subjects research.
  • Data Elements: De-identified data sets can include any structured variables extracted from health records except for 18 identifiers and dates other than the year. Individual patients can be distinguished using anonymous study IDs.
  • Compliance: To get a de-identified data set, Compliance approval is not required. However, if the data is potentially sensitive, it may require approval by a research committee of UCLA Health, and a Data Use Agreement (DUA) may still be required to ensure that the investigator uses the data only for the agreed-upon research and does not release it.
  • Data Delivery: We can simply deliver data in an excel spreadsheet.

Using a “limited data set” Extracted from UCLA Health Records

Studies that require actual dates of service and/or 5 digit zip codes, but that don’t need other personal identifiers and don’t need free-text notes or reports may request a “limited data set,” which is de-identified except for the potential inclusion of service dates and/or 5 digit ZIP Codes. It should be noted that the service dates and ZIP Codes in limited data constitute PHI, and if this data is compromised, UCLA Health is required to formally assess the potential for re-identification, and breach notification to patients may be required.

  • IRB application: In section 9.1, item 8.1, check off “Coded – The data/specimens are coded and a key to decipher the code exists and could be used to link PII to the data/specimens.” In section 17.1, item 1.0, check off “Limited Data Set with a Data Use Agreement will be obtained from UC medical records. I assure that I will follow the data security plan outlined in this application to protect the identifiers from improper use or disclosure.” We recommend consulting with us prior to submitting your IRB application to avoid needing an amendment to meet data specification or data security requirements.
  • Data Elements: In addition to the data available for de-identified data sets, you can obtain actual dates of service and/or 5 digit zip codes.
  • Compliance: Because you will be receiving data derived from protected health information (PHI), your data security measures will need approval from UCLA Compliance. Based on the data security measures specified in your IRB application, we will draft the Compliance “Request to Interface or Download” form on your behalf. The form then needs to be signed by the data requestor, and their departmental Chief Administrative Officer, accepting responsibility for maintaining the data protections specified in the form. You will also need to complete a UCLA Data Use Agreement and attach it to the Compliance approval.
  • Data Delivery: We can deliver data in an excel spreadsheet or into REDCap or an SQL database.

Identified Data Extracted from UCLA Health Records

Studies that need to make use of use patient identifiers and/or free-text notes or reports, but that don’t require human review of the full medical record, should request an identified data extract.

  • IRB application: In section 17.1, item 1.0, check off “A Total Waiver of HIPAA Research Authorization is requested for the entire study. I assure that the PHI collected for this study from UC records will not be reused or disclosed, except as indicated in this application.” In section 9.2, item 5.0, check off “The data and/or specimens will be directly labeled with personal identifying information when acquired by the investigator for this research.” We recommend consulting with us prior to submitting your IRB application to avoid needing an amendment to meet data specification or data security requirements.
  • Data Elements: Check off all desired data elements using our template. Note that you should only request patient names in your data set if it is absolutely necessary.
  • Compliance: Because you will be receiving data derived from protected health information (PHI), your data security measures will need approval from UCLA Compliance. Based on the data security measures specified in your IRB application, we will draft the Compliance “Request to Interface or Download” form on your behalf. The form then needs to be signed by the data requestor, and their departmental Chief Administrative Officer, accepting responsibility for maintaining the data protections specified in the form.
  • Data Delivery: We can deliver data in an excel spreadsheet and transfer it to a secure, shared network drive or can directly load it into REDCap.

Using Data Obtained by Chart Review

If your study requires human review of the full patient record, you can request extraction of a list of patients from the electronic health record who meet specific inclusion criteria. Additional discrete variables can also be extracted for these patients to help minimize the work required in chart abstraction.

  • IRB application: In section 17.1, item 1.0, check off “A Total Waiver of HIPAA Research Authorization is requested for the entire study. I assure that the PHI collected for this study from UC records will not be reused or disclosed, except as indicated in this application.” In section 9.2, item 5.0, check off “The data and/or specimens will be directly labeled with personal identifying information when acquired by the investigator for this research.” We recommend consulting with us prior to submitting your IRB application to avoid needing an amendment to meet data specification or data security requirements. Note that preparatory chart review will also require IRB approval. Exceptions will not be made.
  • Data Elements: Check off all desired data elements using our template, particularly those needed to determine if the patient meets inclusion criteria.
  • Compliance: Because you will be receiving data derived from protected health information (PHI), your data security measures will need approval from UCLA Compliance. Based on the data security measures specified in your IRB application, we will draft the Compliance “Request to Interface or Download” form on your behalf. The form then needs to be signed by the data requestor, and their departmental Chief Administrative Officer, accepting responsibility for maintaining the data protections specified in the form.
  • Data Delivery: We recommend using REDCap. We can set up automatic extraction of eligible patients into REDCap. The Compliance office recommends that you do not write down names of patients in any spreadsheets, but rather record the medical record number.

Starting July 1st, 2017, we will begin charging for all new projects.

For consulting time (project management, regulatory (IRB and Compliance) approvals), we will charge $81.88/hour

For programming time (data query: SQL coding, cleaning, extraction), we will charge $133.04/hour.

If you need more specific information, please contact us at patientdata@ctsi.ucla.edu.


For studies requesting data from other sources, such as the UCLA Cancer Registry, Department of Anesthesiology, or for requests for DICOM imaging access:

The Informatics Program (IP) will also facilitate these requests as “honest broker” and will provide our Compliance review and consulting services. These services include assistance in navigating IRB and Compliance approval requirements, drafting required Compliance approval forms, and managing communication with data programmers from other teams.

IP will review the IRB application and approval notice while checking that Compliance requirements are met in terms of study data elements, data security/privacy concerns, and data storage. During this IRB review, IP will also draft the requisite Compliance paperwork on behalf of the investigator. This paperwork is required for Compliance approval.

The documented, consistent workflow employed by IP will expedite the process of obtaining Compliance approval required for patient data: If there are any potential data privacy or security issues with the IRB, IP may ask the investigator to amend the IRB application. In this instance, IP will provide a detailed list of amendments to the investigator so that Compliance requirements can be met. For standard data requests in which there are no data privacy or security issues, IP is authorized by the Office of Compliance Services (OCS) to sign off on Compliance approval. For situations in which there may be higher risk involved in releasing data, IP will arrange for a consult and approval by OCS.

Once Compliance approval has been obtained, IP will coordinate with the programmers from the other teams on data extraction and delivery.

For these studies, only the consulting fee would apply: $81.88/hour. (However, please note that if data is also being requested from IP e.g. xDR/CareConnect and/or Transplant data, etc., then both the consulting and programming costs would apply.)