What are best data practices?
- Please refer to the Data Broker’s Data Handling Guidelines page.
What is PHI?
- Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
What are the direct/indirect identifiers related to PHI?
- All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
- All elements of dates except year
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
What is Attachment 45? - Accounting for Disclosure
- For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the Office of HIPAA Privacy & Security a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page. Here is the link.
- The electronic file should be emailed to email@example.com with “Study # Spreadsheet File” as the subject.
- For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.
- E-mail: firstname.lastname@example.org
- Phone: 305-243-5000