De-identified Data Policy

If full PHI is being transferred from UCSF to another entity, HIPAA mandates that an agreement is executed between the parties.  Relatedly, if a Limited Data Set (as defined by HIPAA see is provided for research purposes, the parties are required to execute a Data Use Agreement. 

However, when an entity is providing de-identified data, there is no legal requirement to execute an agreement. 

UCSF generally considers de-identified clinical data a P3 escalation criteria, thus possibly requiring an agreement to transfer.  See UCSF’s latest policy here: 

See the full list of data classification, including lower risk data here:


For guidance on how to publish data, see the following: