Data Usage Training and Agreements - HealthRex/CDSS GitHub Wiki

Before accessing or analyzing patient health information, you must complete the following steps.

  1. Collaborative Institutional Training Initiative (CITI) Biomedical Research Training
  2. Stanford Training and Registration System (STARS) HIPAA Training
  3. Data Privacy Obligations Statement Link to "Collaborator Attestation." The above should be enough to work with deidentified data in our mining-clinical-decisions Google Cloud Platform proejct. If you will need access to identifiable patient data (e.g., notes, real dates, access logs, STARR-OMOP), then you will need to complete additional steps below:
  4. IRB protocol. Have the PI or admin add you as personnel to an approved IRB, which can usually be completed within a few business days.
  5. Data Privacy Attestation for PHI. The above should be sufficient to access our PHI-safe som-nero-phi-jonc101 Google Cloud Platform project, with respective PHI versions of Stanford clinical data. If you still need additional specialized access, then complete the steps below:
  6. STARR-OMOP Access Email [email protected] with “Requesting STARR-OMOP-deid data in BigQuery” in the subject line and your Nero GCP project name and your PIs ORCID if you also need access to the STARR-OMOP version of the Stanford clinical databases. Same data, but standardized into the OMOP common data model and other elements like keywords extracted from clinical notes.
  7. Data Privacy Attestation for STARR-OMOP
  8. Nero PHI-Safe Compute Environment If you need access to the Nero PHI-safe compute server infrastructure (e.g., to access the Population Health Sciences databases), email Stanford Research Computing Center [email protected] and CC the PI for confirmation.

CITI Biomedical Research Training

  1. Register with your Stanford SUNet ID.
  2. Complete the courses on
  • "Biomedical Responsible Conduct of Research"
  • "Group 7: IRB BioMed/GCP Research (All Medical Investigators and Staff)"
  1. Email a link to the Completion Certificate to [email protected] or admin (subject: Biomedical Responsible Conduct of Research Certificate).

STARS HIPAA Training

  1. Complete the self-paced course on HIPAA/Protecting Patient Privacy.
  2. Email a copy of your completion certificate to [email protected] or admin

Health Data Protection / Hard Drive Encryption

  • Any computers you use to work on health data must be encrypted. This is usually a transparent option that is easy to turn on in the background and is generally a good idea anyway in case your computer gets lost or stolen.
  • Web link below should help you figure out if you’ve setup encryption properly. If you install Stanford’s BigFix program, it walks through most of the steps. https://med.stanford.edu/datasecurity/amie/
  • I'd recommend working on a (laptop) computer with at least 16gb RAM and 512gb hard drive. I can help you get this if you do not already have it.

Notes to Admin on how to Respond to someone trying above for access

When someone wants to access our databases,

  1. I’ll forward to you to direct them to the above link to complete the training and attestations Direct new applicants to https://github.com/HealthRex/CDSS/wiki/Data-usage-training-and-agreements to complete steps 1-8 as applicable.
  2. They send us copies of their CITI and HIPAA training certificates which we save in a shared GoogleDrive folder. Create them a new folder under Collaborators/Hires in the shared Admin Files and have signed the appropriate DPA. You also invite a new user to sign the DPA by clicking on Attestation link and invite the user by their email.
  3. If they’re accessing protected health information (not just deidentified data), then they also need to be added to IRB personnel list. You’ve been set as admin contact on IRB-47618. https://eprotocol.stanford.edu/mydashboard
    • There will need to “Start Modification,”
    • State change is just “Personnel update / addition” with no change in risk or conflicts
    • lookup and add the person under Personnel Info
    • Set their “CITI training completed” to Yes
    • Click / Confirm the Obligations statement
    • Submit the revised Protocol for review
  4. For access to our non-PHI (deidentified) data resources, you’ll need to use this management interface to grant people BigQuery Data Viewer and Job User roles (You must have the Stanford VPN on and be logged in to access the Platform yourself) https://console.cloud.google.com/iam-admin/iam?authuser=1&folder=&organizationId=&project=mining-clinical-decisions
  5. For access to our PHI (potentially identified) patient data, you’ll need to add them as bq-users via this workgroup interface https://workgroup.stanford.edu/