The mission of Data Broker Services is to provide a centralized, standardized review of all requests for clinical data at the University and its health system. Data is increasingly the lifeblood of the organization and must flow to meet its needs. In an increasingly complex regulatory environment with concerns over information privacy and security, the flows of data, particularly identifiable and other sensitive data, must be balanced against compliance, security and regulatory risk. Data Broker Services act as an essential component of our overall data protection strategy, while facilitating the institution’s overall goals for delivering high quality healthcare, transforming patient care through research and educating the next generation of medical leaders.

The data broker program serves as an independent intermediary between the clinical enterprise and requesters of clinical data, primarily the research community, but also increasingly facilitates Business/Finance decision-making, healthcare operations, quality improvement and other business needs for UHealth/Miller School of Medicine. Data flows and analytics are essential for strategic planning at the parent UHealth and major facility level, as well as tactically for clinical departments and related business units. We seek to enhance our overall competitive position as an academic medical center and as the leading provider of healthcare services in South Florida and regionally.

Requesting Clinical Data

The principal way to submit a Clinical Data request to the Data Broker group is via the  UHealth IT Service portal. The only exception is for Research-related Consent to Contact lists via REDCap application.

• Self-Service Portal
• Data Broker Numbers
• Consent to Contact via REDCap

• Request for Research

  • Ensure:
    • Study is IRB approved and active
    • Recipient of data is on study team
    • Requested criteria match protocol
    • Requested fields match protocol
  • Provide IRB eProst study number
  • Provide Inclusion/Exclusion Criteria
  • List fields/columns to include in the data output

• Request for Preparatory to Research

  • Ensure Investigator’s Certification for Reviews Preparatory to Research form (Form E) is submitted to IRB
  • Attach copy of completed form
  • Provide Inclusion/Exclusion Criteria
  • List fields/columns to include in the data output

• Request related to Healthcare Operations

  • Briefly explain reason the data is needed
  • Provide contact information for administrator authorizing this request
  • Provide Inclusion/Exclusion Criteria
  • List fields/columns to include in the data output

• General guidelines for requests

  • Reason for data request
  • Inclusion/Exclusion Criteria to select the appropriate population
    • These criteria could include: dates of service, ICD diagnosis codes, CPT procedure codes, provider, patient gender, patient age, service location, etc.
    • Note: Data from December 1, 2010 onwards is available from UChart
    • For Medical Chart data prior to December 1, 2010, a separate request will need to be submitted. Data fulfillment is completed by the third party vendor
  • Fields/columns to include in the data output

• What are best data practices?

  • Please refer to the Data Broker’s Data Handling Guidelines page.
  • Please refer to the Telecommuting and Remote Work Guidelines page for information on telecommuting guidelines.

• What is Protected Health Information (PHI)?

  • Protected health information (PHI) is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a covered entity (CE) in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. Information is only considered PHI when an individual can be identified from the information AND there is associated health-related information.
  • A covered entity (CE) is an organization that has to comply with HIPAA (Health Insurance Portability and Accountability Act). Examples of covered entities include health care providers and health plans that engage in standard health care electronic transactions. The University of Miami is a Hybrid Covered Entity because, in addition to providing health care at its medical facilities (CE component), it also has other organizational activities such as education and research (non-CE component).

• What is Personally Identifiable Information (PII)?

  What is Personally Identifiable Information (PII)?

  Privacy laws across the world govern the collection, use and disclosure of Personally Identifiable Information, or PII for short. In general terms, PII is any information that could be used to identify a specific person. University policies, contractual obligations, and federal and state laws and regulations require appropriate protection of PII that is not publicly available.

  PII includes:
  “Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

  
  Examples of PII include, but are not limited to:

  • Name: full name, maiden name, mother’s maiden name, or alias
  • Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
  • Personal address information: street address, or email address
  • Personal telephone numbers
  • Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
  • Biometric data: retina scans, voice signatures, or facial geometry
  • Information identifying personally owned property: VIN number or title number
  • Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

  The following examples, on their own, do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:

  • Date of birth
  • Place of birth
  • Business telephone number
  • Business mailing or email address
  • Race
  • Religion
  • Geographical indicators
  • Employment information
  • Medical information
  • Education information
  • Financial information

  General Data Protection Regulation (GDPR) Definition of Personal Data

  GDPR is a law that protects the privacy rights of residents of the European Union. This law defines “personal data” as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

  Under GDPR the following categories are considered sensitive i.e., subject to more stringent protection requirements:

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
  • trade-union membership
  • genetic data, biometric data processed solely to identify a human being
  • health-related data
  • data concerning a person’s sex life or sexual orientation.

  Florida Information Protection Act

  Personal information means either of the following:

  • An individual's first name or first initial and last name in combination with:
  • A social security number
  • A driver's license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
  • A financial account number or credit card or debit card number, in combination with any required security code, access code or passport that is necessary to access the individual's financial account
  • Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
  • An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual

  A username or email address, in combination with a password or security question and answer that would permit access to an online account

• What are the direct/indirect identifiers related to PHI?

  1. Names
  2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
  3. All elements of dates except year
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

• What is a limited data set?

  A “limited data set” is information from which certain identifiers have been removed. Specifically, all the following identifiers must be removed for health information to be considered a “limited data set”:

   

  1. Names
  2. street addresses (other than town, city, state and zip code)
  3. telephone numbers
  4. fax numbers
  5. email addresses
  6. Social Security numbers
  7. medical records numbers
  8. health plan beneficiary numbers
  9. account numbers
  10. certificate license numbers
  11. vehicle identifiers and serial numbers, including license plates
  12. device identifiers and serial numbers
  13. URLs
  14. IP address numbers
  15. biometric identifiers
  16. full face photos (or comparable images)

  Identifiable information allowed includes:
  

   

  • dates (i.e., admission, discharge, service, DOB, DOD)
  • city, state, zip code (five digits or more)

• What is Attachment 45? - Accounting for Disclosure

  For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the UHealth Privacy Office a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page. 

  • The electronic file should be emailed to privacy@med.miami.edu with “Study # Spreadsheet File” as the subject.
    • For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.

• How to cite Data Broker services in papers, posters, presentations, etc.

  “Assistance with facilitating clinical data collection provided by the Data Broker group of the University of Miami’s Office of the Vice Provost for Research + Scholarship.”

• What is Safe Harbor Method for De-Identified Data?

  Guidance to Safe Harbor Method

• Contacts
• Applications
• Departments
• Jackson Health System
• Other Resources