Data Broker Services : Frequently Asked Questions

What are best data practices?

  • Please refer to the Data Broker’s Data Handling Guidelines page.

What is PHI?

  • Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

What are the direct/indirect identifiers related to PHI?

  1. Names
  2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
  3. All elements of dates except year
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

What is Attachment 45? - Accounting for Disclosure

  • For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the Office of HIPAA Privacy & Security a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page. Here is the link.
    • The electronic file should be emailed to with “Study # Spreadsheet File” as the subject.
      • For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.

How to submit a clinical data request
How to submit a consent to contact request
Data Broker group Contact information