What are best data practices?
- Please refer to the Data Broker’s Data Handling Guidelines page.
- Please refer to the Telecommuting and Remote Work Guidelines page for information on telecommuting guidelines.
What is PHI?
- Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
What are the direct/indirect identifiers related to PHI?
- All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
- All elements of dates except year
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
What is a limited data set?
A “limited data set” is information from which certain identifiers have been removed. Specifically, all the following identifiers must be removed for health information to be considered a “limited data set”:
- street addresses (other than town, city, state and zip code)
- telephone numbers
- fax numbers
- email addresses
- Social Security numbers
- medical records numbers
- health plan beneficiary numbers
- account numbers
- certificate license numbers
- vehicle identifiers and serial numbers, including license plates
- device identifiers and serial numbers
- IP address numbers
- biometric identifiers
- full face photos (or comparable images)
- dates (i.e., admission, discharge, service, DOB, DOD)
- city, state, zip code (five digits or more)
What is Attachment 45? - Accounting for Disclosure
- For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the Office of HIPAA Privacy & Security a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page. Here is the link.
- The electronic file should be emailed to firstname.lastname@example.org with “Study # Spreadsheet File” as the subject.
- For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.
How to cite Data Broker services in papers, posters, presentations, etc.?
- “Assistance with facilitating clinical data collection provided by the Data Broker group of the University of Miami’s Office of Privacy and Data Security.”
- E-mail: email@example.com
- Phone: 305-243-5000