De-identified Data Policy

If full PHI is being transferred from UCSF to another entity, HIPAA mandates that an agreement is executed between the parties.  Relatedly, if a Limited Data Set (as defined by HIPAA see https://irb.ucsf.edu/definitions) is provided for research purposes, the parties are required to execute a Data Use Agreement. 

However, when an entity is providing de-identified data, there is no legal requirement to execute an agreement. 

UCSF generally considers de-identified clinical data a P3 escalation criteria, thus possibly requiring an agreement to transfer.  See UCSF’s latest policy here:  https://data.ucsf.edu/data-sharing#Escalation-criteria 

See the full list of data classification, including lower risk data here:  https://it.ucsf.edu/standard-guideline/ucsf-policy-650-16-addendum-f-ucsf-data-classification-standard

 

For guidance on how to publish data, see the following: