Data Broker Services : Frequently Asked Questions

What are best data practices?

  • All UM employees with access to protected health information (PHI), complete HIPAA Privacy & Security Awareness training in the University’s Learning Management System ULearn.
  • Be especially careful with storage of the identifiable data on mobile devices or unsanctioned cloud storage.
  • For portable devices such as laptops – you should only be using either university supplied laptops or laptops that have university approved full disk encryption software installed and an updated anti-malware application such as MacAfee.
  • For mobile storage (USB Flash, hard drives) – again avoid storing identifiable data unless you absolutely must. If you must, then such devices MUST be encrypted. UHealth IT (at Medical 305-243-5999,, can provide assistance on encryption services for laptops, selection of appropriate mobile devices, secure remote access, secure file transfer, encrypting email etc. UM IT (305-284-6565,,
  • Only Remote access methods approved by UM IT should be used. Please see Access UM’s Network via UMIT Approved Remote Access Tools.
  • PHI should not be stored on mobile phones or tablets. If such devices are being used for access, then such devices must utilize a PIN with a timeout/auto-lock. Please see Mobile Device PIN for more details.
  • Only if there is a need, use ONLY University supplied Box accounts (2 factor authentication) if any information must be stored in the cloud and be careful to only share with those involved in the project for the time period necessary to accomplish the purpose. Do not share any type of sensitive data out to “Everyone”.  Be sure to remove the data at the end of the project, subject to any data retention requirements.
  • Individuals who no longer need access to the project/data should have their access disabled/removed. This is particularly relevant if employees’ job responsibilities have changed due to transfers or for other reasons.
  • Do not use public email accounts (Gmail, Hotmail etc.) to send PHI or conduct other University business.
  • Do not send PHI to unauthorized individuals (i.e. individuals who have no business/clinical reason, no approved involvement in project etc.) or to individuals with non or email addresses.
  • Physical controls (locked, file cabinet, card key restricted office area etc.) should be used for paper/printouts with such information.
  • Paper/printouts with such information that need to be disposed of, should be shredded or placed in the approved (currently) Shred-It bins for such information – NOT in the regular trash.

What is PHI?

  • Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

What are the direct/indirect identifiers related to PHI?

  1. Names
  2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
  3. All elements of dates except year
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

What is Attachment 45? - Accounting for Disclosure

  • For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the Office of HIPAA Privacy & Security a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page. Here is the link.
    • The electronic file should be emailed to with “Study # Spreadsheet File” as the subject.
      • For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.

How to submit a clinical data request
How to submit consent to contact request
Data Broker group Contact information