Data Broker Services


The mission of Data Broker Services is to provide a centralized, standardized review of all requests for clinical data at the University and its health system. Data is increasingly the lifeblood of the organization and must flow to meet its needs. In an increasingly complex regulatory environment with concerns over information privacy and security, the flows of data, particularly identifiable and other sensitive data, must be balanced against compliance, security and regulatory risk. Data Broker Services act as an essential component of our overall data protection strategy, while facilitating the institution’s overall goals for delivering high quality healthcare, transforming patient care through research and educating the next generation of medical leaders.

The data broker program serves as an independent intermediary between the clinical enterprise and requesters of clinical data, primarily the research community, but also increasingly facilitates Business/Finance decision-making, healthcare operations, quality improvement and other business needs for UHealth/Miller School of Medicine. Data flows and analytics are essential for strategic planning at the parent UHealth and major facility level, as well as tactically for clinical departments and related business units. We seek to enhance our overall competitive position as an academic medical center and as the leading provider of healthcare services in South Florida and regionally.

Requesting Clinical Data

The principal way to submit a Clinical Data request to the Data Broker group is via the  UHealth IT Service portal. The only exception is for Research-related Consent to Contact lists via REDCap application.

Use the Data Broker Services (Clinical) Request form under “Employee Center” – “Data Extract or Reports” available on the UHealth IT Service Now Portal Catalog Filters. 

You will be prompted to log in through Single Sign-On page (DUO dual-factor authentication) before being presented with the Service Now screen.

  • Required fields have an *.
  • You must accept the Terms and Conditions by checking the box.
  • Attach any documents by using the paperclip icon available at the bottom of the form.
  • Scroll up and submit your request. Note: If you did not complete one of the required fields you will see a pop-up listing all missing required fields.
  • Click “OK” and the required fields will display with a red *.
  • Click on “Submit Order” and an Order Status page with ticket number will display
  • For more information on how to submit specific requests, please refer to the Guide to the Data Broker Services Request form.
  • Click on My Order and Tickets to check the status of your request

The mission of the Data Broker is to provide a centralized, standardized review requests for clinical data at the University and its health system. Requests are managed through University of Miami’s Information Technology Service Now platform.

This represents the previous month’s summary of active requests that the Data Broker has facilitated broken down by request type and origin/s.

Additionally, there are comparisons of the number active requests to the previous two years, both as monthly and year to date. For questions on these summaries, please reach out to the Data Broker (

Submitting a request for a Consent to Contact participant list via REDCap

Prior to submission, check the following:

  • Feasibility – perform a feasibility check/query using existing tools (i.e. URIDE, Slicer Dicer) to verify whether UHealth has patients meeting study criteria
  • Inclusion/Exclusion Criteria - Determine the applicable Diagnosis Codes (ICD-10/ICD-9) and Procedure Codes (CPT/HCPCS) as well as other relevant criteria (age ranges, providers, locations, start and end dates of service) for the population of interest
  • IRB Approved Protocol – have approval and eProst number
  • Consent to Contact must be listed as a method of recruitment in the study protocol
    • Related Consent to Contact documents (i.e. script, sample dialogues, etc.) need to be listed in eProst
  • Obtain a waiver of authorization from the IRB
  • Study team members that will be calling the patients should be listed on the Study Team section in eProst
    • Have names and c-numbers
  • Complete the Consent to Contact REDCap form available here

What to include:

  • eProst Number
  • Project Title
  • PI Name & UM e-mail
  • Project Summary
  • Research area/pillars
  • Inclusion/Exclusion criteria
  • Study team member names & c-numbers of who will be calling and accessing participant data
  • Date range for request


  • Please obtain the appropriate HIPAA waivers of authorization prior to submitting the Consent to Contact request. Please review the HSRO’s Consent to Contact page for additional information.
  • Complete the Consent to Contact script template.
  • Consent to Contact subject list will only be available in REDCap for 90 days
  • Refreshed/updated consent to contact lists can be requested

Contact Information

What to Include in a Clinical Data Request

Open All Tabs
  • Request for Research

    • Ensure:
      • Study is IRB approved and active
      • Recipient of data is on study team
      • Requested criteria match protocol
      • Requested fields match protocol
    • Provide IRB eProst study number
    • Provide Inclusion/Exclusion Criteria
    • List fields/columns to include in the data output

  • Request for Preparatory to Research

    • Ensure Investigator’s Certification for Reviews Preparatory to Research form (Form E) is submitted to IRB
    • Attach copy of completed form
    • Provide Inclusion/Exclusion Criteria
    • List fields/columns to include in the data output

  • Request related to Healthcare Operations

    • Briefly explain reason the data is needed
    • Provide contact information for administrator authorizing this request
    • Provide Inclusion/Exclusion Criteria
    • List fields/columns to include in the data output

  • General guidelines for requests

    • Reason for data request
    • Inclusion/Exclusion Criteria to select the appropriate population
      • These criteria could include: dates of service, ICD diagnosis codes, CPT procedure codes, provider, patient gender, patient age, service location, etc.
      • Note: Data from December 1, 2010 onwards is available from UChart
      • For Medical Chart data prior to December 1, 2010, a separate request will need to be submitted. Data fulfillment is completed by the third party vendor
    • Fields/columns to include in the data output

Services and Resources

Patient Contact Lists & Other Common Requests

Patient contact lists for outreach purposes, access to Epic cubes for billing, case logs for credentialing, workbench data reviews, data transfers, dashboard publications

Data Handling Guidelines

Best practices for adequately safeguarding and securing sensitive or confidential information.

Frequently Asked Questions

Open All Tabs
  • What are best data practices?

    • Please refer to the Data Broker’s Data Handling Guidelines page.
    • Please refer to the Telecommuting and Remote Work Guidelines page for information on telecommuting guidelines.

  • What is Protected Health Information (PHI)?

    • Protected health information (PHI) is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a covered entity (CE) in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. Information is only considered PHI when an individual can be identified from the information AND there is associated health-related information.
    • covered entity (CE) is an organization that has to comply with HIPAA (Health Insurance Portability and Accountability Act). Examples of covered entities include health care providers and health plans that engage in standard health care electronic transactions. The University of Miami is a Hybrid Covered Entity because, in addition to providing health care at its medical facilities (CE component), it also has other organizational activities such as education and research (non-CE component).

  • What is Personally Identifiable Information (PII)?

    What is Personally Identifiable Information (PII)?

    Privacy laws across the world govern the collection, use and disclosure of Personally Identifiable Information, or PII for short. In general terms, PII is any information that could be used to identify a specific person. University policies, contractual obligations, and federal and state laws and regulations require appropriate protection of PII that is not publicly available.

    PII includes:
    “Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

    Examples of PII include, but are not limited to:

    • Name: full name, maiden name, mother’s maiden name, or alias
    • Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
    • Personal address information: street address, or email address
    • Personal telephone numbers
    • Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
    • Biometric data: retina scans, voice signatures, or facial geometry
    • Information identifying personally owned property: VIN number or title number
    • Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

    The following examples, on their own, do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:

    • Date of birth
    • Place of birth
    • Business telephone number
    • Business mailing or email address
    • Race
    • Religion
    • Geographical indicators
    • Employment information
    • Medical information
    • Education information
    • Financial information

    General Data Protection Regulation (GDPR) Definition of Personal Data

    GDPR is a law that protects the privacy rights of residents of the European Union. This law defines “personal data” as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

    Under GDPR the following categories are considered sensitive i.e., subject to more stringent protection requirements:

    • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
    • trade-union membership
    • genetic data, biometric data processed solely to identify a human being
    • health-related data
    • data concerning a person’s sex life or sexual orientation.

    Florida Information Protection Act

    Personal information means either of the following:

    • An individual's first name or first initial and last name in combination with:
    • A social security number
    • A driver's license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
    • A financial account number or credit card or debit card number, in combination with any required security code, access code or passport that is necessary to access the individual's financial account
    • Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
    • An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual
    A username or email address, in combination with a password or security question and answer that would permit access to an online account

  • What are the direct/indirect identifiers related to PHI?

    1. Names
    2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
    3. All elements of dates except year
    4. Phone numbers
    5. Fax numbers
    6. Electronic mail addresses
    7. Social Security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers, including license plate numbers
    13. Device identifiers and serial numbers
    14. Web Universal Resource Locators (URLs)
    15. Internet Protocol (IP) address numbers
    16. Biometric identifiers, including finger and voice prints
    17. Full face photographic images and any comparable images
    18. Any other unique identifying number, characteristic, or code

  • What is a limited data set?

    A “limited data set” is information from which certain identifiers have been removed. Specifically, all the following identifiers must be removed for health information to be considered a “limited data set”:


    1. Names
    2. street addresses (other than town, city, state and zip code)
    3. telephone numbers
    4. fax numbers
    5. email addresses
    6. Social Security numbers
    7. medical records numbers
    8. health plan beneficiary numbers
    9. account numbers
    10. certificate license numbers
    11. vehicle identifiers and serial numbers, including license plates
    12. device identifiers and serial numbers
    13. URLs
    14. IP address numbers
    15. biometric identifiers
    16. full face photos (or comparable images)
    Identifiable information allowed includes:


    • dates (i.e., admission, discharge, service, DOB, DOD)
    • city, state, zip code (five digits or more)

  • What is Attachment 45? - Accounting for Disclosure

    For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the UHealth Privacy Office a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page

    • The electronic file should be emailed to with “Study # Spreadsheet File” as the subject.
      • For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.

  • How to cite Data Broker services in papers, posters, presentations, etc.

    “Assistance with facilitating clinical data collection provided by the Data Broker group of the University of Miami’s Office of the Vice Provost for Research + Scholarship.”

  • What is Safe Harbor Method for De-Identified Data?

Contact and Additional Resources