Non-Profit University Researchers or California State Agencies – Application Checklist (IPA)
Before You Start
|1. Confirm your eligibility||Before you start the application process, please confirm your eligibility. OSHPD is authorized to disclose HIPAA-limited versions of its patient-level data files to:
|2. Review data sets||Next, review the variables in the data sets to see if the data meets your analytical need.|
IPA Request Process
|3. Complete and submit an UNSIGNED preliminary request package for review||
|4. Pre-CPHS letter and Privacy Officer approval||Once the request appears complete, you will be sent a “Pre CPHS Letter” which you will then be able to use as an attachment when submitting your CPHS Protocol to the California Committee for the Protection of Human Subjects.
When your Research Protocol has been approved by CPHS, your request will then be submitted to our Privacy Officer and Deputy Director with your approved Protocol. If there are any questions about your request during this part of the process, an analyst will contact you.
When the Privacy Officer and Deputy Director have approved your data request, you will receive:
|5. Requests containing PDD/Linked Birth or PDD/Linked Death data||If your request contains PDD/Linked Birth or PDD/Linked Death data, we will then forward your approved OSHPD request, with your signed documents and payment, to the California Department of Public Health. Once they have approved your request, we will be notified and then will arrange to ship your data.|
|6. Approved requests||Generally, from the time the request is received until the data is shipped, the interactive IPA request takes approximately six months. It may be longer or shorter depending on the complexity of the request.|
|7. Once OSHPD approves the completed package, you will be contacted about payment and shipping options||NOTE: Data is not released until all required approvals have occurred and payment has been received.
At the time of data release, OSHPD will contact you to arrange shipping options: encrypted CD to be picked up by you; shipped Overnight Delivery, with encrypted CD(s); or encrypted files sent via Accellion (Secure FTP).
Instructions for Preparing the IPA Request for Nonpublic Patient Level Data Form
|Complete contact information||Complete the contact information section for your university/institution on the first page of the request form. List the names of Principal Investigators, if there is more than one person as the PI, which must match the draft CPHS Protocol. Submit unsigned; this is a draft until officially finalized later in the process.|
|Please indicate the purpose for which the data are requested||Give a brief description of what your study is about.|
|Please give a broad overview||Please describe how the data will be used for your research.
Your Research Protocol and your OSHPD request need to be consistent; if it is helpful, you may copy a reasonable portion of your Protocol here. OSHPD needs enough information about your research to be able to determine why you are asking for nonpublic patient-level data.
|Mark the years and the confidential data sets/products you would like to order||You will need to complete and attach the appropriate justification grid with the request package:
|Indicate the format you prefer||Choose format from SAS or comma delimited text.|
|What is the required sample size you need to test your hypothesis?||Briefly explain what your required sample size will be, if known|
|Describe and justify the subset needed||If you need a geographic subset, please indicate if you need it by patient county, hospital county, or both, or by ZIP Code. If you need a data subset by diagnosis, please include a list of the appropriate diagnosis codes. Include whether or not you need these if they are the principal diagnosis on the record, or secondary diagnoses. If requesting a diagnosis subset that contains procedure codes, please note that ED/AS data only contains CPT 4 procedure codes.
If you need all records for given years, clearly explain why.
|Please indicate if you will be doing the following:|
|Geographic Information System (GIS)||If yes, please describe.|
|Combination/merge/coordination with other data set(s) or databases||If yes, please describe the other data sets / linking variables (for example, census data, hospital level demographics, socioeconomic indicators, etc).|
|Linked patient-level information (i.e., across years)||If yes, please describe method for linking patient-level data across years/data set. We need this information even if you are just linking within/between OSHPD data sets.|
|What products will be developed from this project?||Clearly indicate what kind of final product, such as a report or articles, will be developed from this project.|
|Please include a brief description of each product including the level of detail for any chart, graph, table, or map||For each product, tell the level of detail contained in any chart, graph, table, or map you will be creating.|
|Describe how you will treat small cells (<15) in data products to avoid identifying individuals||Descibe how you will treat a small cell size (15 or fewer). For example, if there are 15 or fewer in a cell, will you delete or combine the cell with another?|
Security (Requestor or Outside Contractor)
Please see “Recommended Practices for Safeguarding Access to Confidential Data” on the request form for what we will be looking for in your answers about security for your facility.
|System||System on which the data will reside. Be very specific when writing about data security, for example, indicate if your computer is stand-alone, networked, or if you are accessing data on a server.|
|Hardware/Software||Does the system contain anti-virus software (all systems)? Is it on continuous scan?
Name of anti-virus, anti-spyware and firewall you are using?
Do you have remote access software on this system?
Has an External Firewall, i.e. Netgear, Cisco pix or other NCSA certified your system?
Note: Windows™ firewall does not provide adequate security.
|Access Control||Access should be restricted to the authorized individual(s).
Is password length and configuration acceptable (alphanumeric and not observable either from the screen or able to be captured by any electronic means)?
If VPN is being used, explain how it is being kept secure.
Is there remote access software or hardware, i.e. PC Anywhere, Remote Control, SNMP, etc? (If ‘yes,’ requestor must remove from system). Are WiFi and file sharing capability also disabled and/or removed (with the exception of authorized remote access through a secure portal)?
|Physical Environment||Please describe your location, office space and how you are protecting the privacy of this data.
Monitor must be positioned to prevent others from viewing text on screen.
Printers should be placed in close proximity for quick retrieval of printouts.
Password-protected screen savers must be used when a computer is in a shared workspace.
|Data Storage||Data stored on hard drives must be encrypted. Store removable media (CD-ROM, diskette, USB device, etc.) in a locked cabinet or drawer.|
|Encryption||If data is stored on hard drives it must be encrypted. Acceptable encryption standards include Triple-DES, PCP, AES, Windows file encryption system.|
|Who will have access to the data at the facility?||List the names and titles of the people that will access the data.|
|Relationship of personnel to facility?||What connection do they have to your facility?|
|For Outside Contractor Security||If your facility is working with an outside contractor, you must:
This page was last updated on Wednesday, July 27, 2016.
Type of Request
Data Years Available
Healthcare Information Resource Center
400 R Street, Suite 250
Sacramento, CA 95811-6213
Tel: (916) 326-3802
Fax: (916) 324-9242
Hours: Monday-Friday 8 a.m. to 5 p.m. (PST)