Medical Record Review

When is IRB Review Required?

The wealth of health-related data in medical records holds tremendous promise for informing and directing research. The human subject definition extends to a subject’s identifiable private information. As such, the IRB must review most research proposing to use data from medical records — obtained directly or indirectly. IRB review is required even if the records are a physician’s own patients.

The guidelines apply to all medical records — both paper and electronic — that contain Protected Health Information (PHI), such as charts, office records including shadow charts and study reports, as well as various media like radiographic images and films. The UCSF HUB has detailed information on accessing electronic medical data at UCSF. 

The type of PHI to be accessed or used in the study and risks associated with the study determine the level of IRB review required. The IRB will pay particular attention to the methods used to minimize privacy and confidentiality risks.

If you are receiving unidentifiable/de-identified or coded data (with identifiers are kept separately) from another source, your research may not be considered human subjects research. In such cases, IRB review is not required. The PI makes and certifies this determination, as described on the Not Human Subjects Research page and flow chart. There are a number of restrictions.

Research vs. Health Care Operations: IRB approval is required only for medical records review for research studies, not for clinical activities conducted for health care operations.

When medical records are used for research, IRB prior review and approval are required.

  • Collection of clinical data associated with human specimens to be used in research,
  • Collection of data for research projects, including outcomes data,
  • Identification of potential subjects for recruitment into a clinical research study,
  • Collection of data for pilot or feasibility studies,
  • Analysis by PI of his/her own patient records for research purposes.

When medical records are used for healthcare operations, IRB review is not required. Medical records use for treatment, payment and operations (TPO) is not research. Activities may include the review of medical records for:

  • Individual patient treatment
  • In-house use of medical records (Grand Rounds Presentations)
  • Program evaluation (Quality Control/Quality Improvement activities, if not for publication)

Medical Records Review and No Subject Contact

Some research using data from medical records — such as retrospective record reviews — can be done without having contact with subjects. The IRB review process depends on the level of risk to subjects’ privacy posed by the type and extent of PHI associated with the dataset.

Below is a brief description of the level of review that may be required. See the Levels of Review page for important details and restrictions.

In order for your record review research to qualify as exempt (category 4), you can have access to records that include identifiers — such as name or date of birth — but you cannot record this information, even temporarily, while extracting the data you need. Learn more here. 

Retrospective and some prospective research that involves reviewing existing medical records may qualify for expedited review (category 5). The study must be minimal risk. Learn more here.

Because researchers will have access to PHI during the review of medical records, the IRB Application must include:

  • Clear explanation of the research methods that will guard against disclosure of private information; and
  • Justification for waiving consent and HIPAA authorization.

Example: A researcher wants to gather data on the use of a particular antibiotic by reviewing medical records from the year 2010-2015. The research qualifies as expedited review (category 5), and access to the specified records is granted with a IRB-approved waiver of consent/authorization.

In very rare cases, full committee review may be required for medical records review, even if there is no contact with subjects. Under federal regulation, expedited review cannot be used for studies that pose greater than minimal risk to subjects.

Full committee review is required for medical record studies where identification of the subjects and/or their responses would reasonably place them at risk for criminal or civil liability or be damaging to their financial standing, employability, insurability, reputation or be stigmatizing. The IRB may review the study at the expedited level if the study team implements reasonable and appropriate protections to safeguard the subjects' privacy and confidentiality.

IRB review may be required, depending on the PHI you will access and types of records you want to review. See the FAQ section on the Research Needing IRB Review for more information. 

Medical Records Review Involving Subject Contact

The IRB has specific requirements for studies that involve subject contact and include medical record review during screening, recruitment and/or ongoing throughout the study.

Screening involves reviewing medical records to determine eligibility of subjects based on the study's inclusion/exclusion criteria. Medical records may already exist or may be created prospectively as part of the study.

Because subject contact occurs before medical records are reviewed, include a statement in the consent form that the subjects' medical records will be reviewed during the study. See Informed Consent Requirements for details.

You may review existing medical records to identify potential study subjects, whom you will later contacted and ask to participate in your study.

You will be asked to explain why you need to access PHI prior to obtaining consent and request a waiver of consent/authorization for recruitment purposes. The IRB Application in iRIS will automatically branch to the Waiver of Consent/Authorization for Recruitment Purposes section if it is needed.

The IRB has guidelines for contacting subjects for recruitment purposes after medical records are reviewed. Amongst other things, recruitment letters must state that the patient was identified as a result of reviewing medical records and generally be signed by someone already involved in the patient’s care.

If you will review medical records throughout the study, include this information in the Procedures section of the IRB Application. In the consent form, also inform subjects that medical records review is a procedure used during the study. See Informed Consent Requirements for details.


Level of Review: In the IRB Application in iRIS, you will be asked to select the risk level, level of review for the study and indicate whether the study involves subject contact. The type of IRB review is based on the level of risk posed by the study. 

If a study is greater than minimal risk, it will require full committee review. Most minimal risk record review studies that involve subject contact qualify for expedited review, provided that the study activities fit into the expedited review categories. Very rarely, these studies may qualify for exemption. See the Levels of Review page for more information.

  1. A researcher wants to gather data on her own patients who have been diagnosed with oral cancer. In most cases, the information can be retrieved from existing medical records with a waiver of consent/ authorization. However, in some cases the medical record does not contain all of the information needed and the investigator proposes to contact patients to obtain the missing data.
  2. A researcher wants to interview adults about difficulties they have in managing their type 2 diabetes. The researcher will also review the patients' medical records to obtain clinical information about their diabetes.

1. A researcher wants to review medical records to identify and possibly recruit potentially eligible subjects for an investigational drug study. In order to gain access to existing medical records, the PI will need to request a waiver of consent/authorization for recruitment purposes. Also, subjects will need to sign a consent form and HIPAA authorization form to participate in the study. The consent form should include a statement disclosing that medical records review is part of the study procedures.

Consent and HIPAA Requirements

Informed Consent Requirements: Research involving subject contact requires informed consent, no matter the level of review your study requires.

The consent form should include the following information:

  • A statement regarding the purpose of the medical records review (i.e. for screening, for ongoing review or to meet follow-up requirements) in the "Procedures" section.
  • A statement informing subjects their medical records will be reviewed by others besides UCSF researchers (i.e., sponsor or FDA) in the "Confidentiality" section.

HIPAA Requirements: In addition to obtaining informed consent, HIPAA authorization or an approved waiver is also required.​ The IRB approval letter will indicate whether subjects must sign a HIPAA authorization form.

Tools for Researchers

The Cohort Selection Tool enables researchers to query the Integrated Data Repository (IDR), which currently contains a de-identified copy of the UCSF Medical Center APeX database and the UCSF School of Dentistry Dental Clinic database. You can test hypotheses and identify potential cohorts by using this tool.

Clinical Data Research Consultations is a service that extracts data sets from UCSF Medical Center and SFGH hospital data sources for research purposes. You can request the extraction of de-identified, aggregate and identified patient data sets. A current and relevant IRB approval is required for all identified data extractions.

Visit the UCSF HUB and Academic Research Systems pages for information on other tools available to researchers.

Last updated: September 27, 2023