We do not support your browser. Please take a moment and upgrade to the most recent version of Internet Explorer.
Researcher Resources

Obtaining Medical Record Data to Conduct Your Research

The approval process for data requests differs depending on a few factors. Requests that meet certain criteria can be fast-tracked or pre-approved, while others may require review from the UCLA Office of Compliance Services or by the Data Release Subcommittee. To determine the type of approval required for your project, please refer to this spreadsheet. Click below to view definitions for the terms used in the spreadsheet.


Type of Data
  • Identified Dataset: Contains any of the 18 HIPAA identifiers*, beyond exact dates or 5-digit zip code
  • Limited Dataset: Contains only 2 of 18 HIPAA identifiers* (e.g. exact dates, 5-digit zip code or greater)
  • De-identified Dataset: Does not contain any of the 18 HIPAA identifiers*; can contain only year, relative dates (i.e. set day zero and count from there), or shifted dates (each date is shifted by the same random number between 1 and 365), and/or first three digits of zip code for geographic areas of populations over 20,000
*To see the 18 HIPAA identifiers, please click here and scroll to “List of 18 PHI Identifiers.”

Patient Consent Status

  • Consented: Patients enrolled in your research study have signed the IRB-approved informed consent form associated with your study. This is typically the case for studies with direct patient contact where subjects have already been recruited.
  • Non-Consented: You will not be obtaining informed consent from patients that will be included in your study. This is typically the case for studies with no direct patient contact, such as retrospective chart review studies, or if you are requesting patients' contact information for study recruitment.

Sensitive Data - The following data elements are considered to be sensitive:

  • Mental Health Disorders
  • Eating Disorders
  • Substance Abuse Disorders
  • Sexually Transmitted Diseases (including HIV)
  • Child Abuse
  • Sexual Abuse
  • Abortion
  • Transplant Donor-Recipient
  • Adoption
  • Financial Billing Data

PHI Locked Down or Less than 500

  • PHI Locked Down: Protected Health Information (PHI) included in your dataset will be locked down in the data storage environment, meaning that it cannot be removed or copied from the environment. There are two data storage options, ULEAD and UCLA Health REDCap, that have the ability to lock down data.
  • Less than 500: The total number of patient records included in your dataset is less than 500.

Data Sharing

UCLA Health defines Health Data as:

Any information pertaining to the health, care, and treatment of UCLA Health patients or health plan members which:

(1) results in a report used in treatment or monitoring of a patient;

(2) generates a claim or a bill for services that are provided; and/or

(3) is used for operations, financial management, population health activities or quality metrics.

  • Sending patient data (regardless of the type of dataset: identified, limited, or de-identified) or granting access to this data to a recipient outside of the UCLA Health System. For more information on external data sharing, please click here.


Task 1: Study team submits a ticket to the CTSI Ticketing System. To initiate your request, please click here to submit a ticket.

Task 2: Study team completes Qualtrics intake form. After submitting a ticket, our consultants will send you the Qualtrics intake form, which will collect information on your project.

Task 1: Consultant reviews request and compiles questions for study team. Once you submit the Qualtrics form, DET and CRF, a consultant will review your request.

Task 2: Consultant begins drafting Data Use Agreement (DUA+). A DUA+ is required in order to provision your dataset.

Task 1: Study team and consultant meet to review and finalize request. Within 5 business days of the consultant completing the initial review, the study team will need to be available to meet and go over the request, review the DUA+, finalize the DET, and answer any remaining questions. We can also further discuss data storage options for your dataset. Typically, datasets provisioned by our team are stored in ULEAD.

Task 1: Study team completes any pending action items from meeting with consultants within 5 business days. After the meeting takes place, the consultant will summarize action items for the study team. These action items must be completed within 5 business days.

Task 2: Study team responds to any follow-up questions from programmers within 2 business days. As the programmers begin drafting the code for your data extraction, they may have questions for the study team. The study team will need to respond to the questions within 2 business days.

Task 1: Consultant routes DUA+ for signatures and approvals. The DUA+ requires signature from the study’s principal investigator (PI)/faculty sponsor and the PI’s department Chair. Depending on your request, the DUA+ may also require signature from CTSI or from the UCLA Office of Compliance Services.

Task 2: Consultant sends finalized DET to programmers to complete data extraction. Task 2 will likely take place in parallel with Task 1. As soon as the DET is finalized, the consultant will send it to the programmers so they can complete the data extraction.

Task 1: Consultant delivers dataset to study team. Once the data is ready to be delivered and the DUA+ has been executed, your data will be delivered.

Task 2: Consultant files HIPAA disclosure. This is required if any protected health information (PHI) is included in your dataset and the IRB has provided a HIPAA waiver for your study.

Task 3: Consultant closes out ServiceNow ticket. Once the steps above are complete, we will close out the ticket associated with your request.