Data Broker Services : Frequently Asked Questions

What are best data practices?

  • Please refer to the Data Broker’s Data Handling Guidelines page.
  • Please refer to the Telecommuting and Remote Work Guidelines page for information on telecommuting guidelines.

What is PHI?

  • Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.


What are the direct/indirect identifiers related to PHI?

  1. Names
  2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
  3. All elements of dates except year
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

What is a limited data set?
A “limited data set” is information from which certain identifiers have been removed. Specifically, all the following identifiers must be removed for health information to be considered a “limited data set”:

  1. Names
  2. street addresses (other than town, city, state and zip code)
  3. telephone numbers
  4. fax numbers
  5. email addresses
  6. Social Security numbers
  7. medical records numbers
  8. health plan beneficiary numbers
  9. account numbers
  10. certificate license numbers
  11. vehicle identifiers and serial numbers, including license plates
  12. device identifiers and serial numbers
  13. URLs
  14. IP address numbers
  15. biometric identifiers
  16. full face photos (or comparable images)
  • Identifiable information allowed includes:
    • dates (i.e., admission, discharge, service, DOB, DOD)
    • city, state, zip code (five digits or more)

    What is Attachment 45? - Accounting for Disclosure

    • For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the Office of HIPAA Privacy & Security a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page. Here is the link.
      • The electronic file should be emailed to privacy@med.miami.edu with “Study # Spreadsheet File” as the subject.
        • For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.

    How to cite Data Broker services in papers, posters, presentations, etc.?

    • “Assistance with facilitating clinical data collection provided by the Data Broker group of the University of Miami’s Office of Privacy and Data Security.”

    How to submit a clinical data request
    How to submit a consent to contact request

    Data Broker group Contact information