Requesting Clinical Data

• Ensure:
  • Study is IRB approved and active
  • Recipient of data is on study team
  • Requested criteria match protocol
  • Requested fields match protocol
  • Requested date range math protocol
• Provide IBISResearch IRB study ID number
• Provide Inclusion/Exclusion Criteria
• List fields/columns to include in the data output

• Ensure Investigator’s Certification for Reviews Preparatory to Research form (Form E) is submitted to IRB
• Attach copy of completed form
• Provide Inclusion/Exclusion Criteria
• List fields/columns to include in the data output

• Briefly explain reason the data is needed
• Provide contact information for administrator authorizing this request
• Manager approval may be requested for all Quality Assurance (QA) and Quality Improvement (QI) requests.
• Provide Inclusion/Exclusion Criteria
• List fields/columns to include in the data output

• Reason for data request
• Inclusion/Exclusion Criteria to select the appropriate population
  • These criteria could include dates of service, ICD-10 diagnosis codes, CPT procedure codes, provider, patient gender, patient age, service location, etc.
  • Note: Data from December 1, 2010, onwards is available from UChart
  • For Medical Chart data prior to December 1, 2010, a separate request will need to be submitted. Data fulfillment is completed by the third-party vendor
• List of fields/columns to include in the data output

Patient contact lists can be requested for outreach purposes. These can include physician departure letters, newsletters, educational material, community outreach, etc. For these type of data requests, please submit a Data Broker Services (Clinical) Request form under “Employee Center” – “Data Extract or Reports” available on the UHealth IT Service Now Portal Catalog Filters. 

Please include the following information: 

• Please briefly explain the reason for the request (patient outreach - departure letter, newsletter, educational material, etc.)
• Please list the inclusion/exclusion criteria to select the appropriate population
  • Criteria could include provider, date of service range, service location, etc.
• Please list the fields/columns to include in the contact list  

Please note that prior to any patient contact information being released, all outreach materials need to be sent to, reviewed, & approved by the Privacy Office to ensure patient privacy.

• Please e-mail a copy of the outreach materials to the Privacy Office via privacy@med.miami.edu.
• Sample Physician Departure Letter template

• Provide the reason for the request
• Please provide the filters/criteria for the request (i.e. provider name & NPI, CPT procedure codes, date of service range, provider location, etc.)
• What fields to include in the output file (i.e. provider location, CPT procedure codes, units, date of service, etc.)

If data needs to be either stored or moved from a Secure Workbench (secure, restricted environment inclusive of data analytic tools, provided by CTSI Informatics):

• Please briefly describe the details of this project including the need for PHI or other sensitive data.
• If for research, provide the related eProst study number.
• Have a project lead (or another administrator within the area) send an e-mail stating their approval of this project.
• Provide a Variable Dictionary, spreadsheet, list, etc. of all variables included in the data file. If easier please provide the actual location (i.e., which secure workbench holds the data).
• List the individuals who will be receiving the data as well the reason for their need for PHI or other sensitive data. Also include how the data should be transmitted to those individuals.

For dashboard / report (e.g., Power BI) publication or to share with other individuals:

• Briefly describe the purpose of the dashboard. If PHI or other sensitive data is included, provide the reason for inclusion.
• Have a project lead (or another administrator within the business unit) send an e-mail stating their approval of the dashboard and that it will be the responsibility of the business unit to notify IT when individuals no longer require access to the dashboard.
• Provide a Variable Dictionary, spreadsheet, list, etc. of all variables included in the data dashboard. If easier please share the dashboard for review.
• List the individuals who will be receiving access to the dashboard as well as the access type (i.e., view-only, ability to share, download and/or print,etc.).
• Here are some guidelines to follow when publishing dashboards:
  • Only share with authorized individuals
  • Ensure that dashboard settings are set appropriately (i.e., end user cannot edit). Some common settings to be mindful of include printing, sharing, exporting abilities.
  • Individuals who no longer need access to the dashboard should have their access disabled/removed. Inform UHealth IT (privacy@med.miami.edu) if individuals authorized, have left, transferred or otherwise have no further need of the dashboard.

• Please refer to the Data Broker’s Data Handling Guidelines page.
• Please refer to the Telecommuting and Remote Work Guidelines page for information on telecommuting guidelines.

• Protected health information (PHI) is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a covered entity (CE) in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. Information is only considered PHI when an individual can be identified from the information AND there is associated health-related information.
  
  
• A covered entity (CE) is an organization that has to comply with HIPAA (Health Insurance Portability and Accountability Act). Examples of covered entities include health care providers and health plans that engage in standard health care electronic transactions. The University of Miami is a Hybrid Covered Entity because, in addition to providing health care at its medical facilities (CE component), it also has other organizational activities such as education and research (non-CE component).

What is Personally Identifiable Information (PII)?

Privacy laws across the world govern the collection, use and disclosure of Personally Identifiable Information, or PII for short. In general terms, PII is any information that could be used to identify a specific person. University policies, contractual obligations, and federal and state laws and regulations require appropriate protection of PII that is not publicly available.

PII includes:
“Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

Examples of PII include, but are not limited to:

• Name: full name, maiden name, mother’s maiden name, or alias
• Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
• Personal address information: street address, or email address
• Personal telephone numbers
• Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
• Biometric data: retina scans, voice signatures, or facial geometry
• Information identifying personally owned property: VIN number or title number
• Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

The following examples, on their own, do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:

• Date of birth
• Place of birth
• Business telephone number
• Business mailing or email address
• Race
• Religion
• Geographical indicators
• Employment information
• Medical information
• Education information
• Financial information

General Data Protection Regulation (GDPR) Definition of Personal Data

GDPR is a law that protects the privacy rights of residents of the European Union. This law defines “personal data” as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Under GDPR the following categories are considered sensitive i.e., subject to more stringent protection requirements:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
• trade-union membership
• genetic data, biometric data processed solely to identify a human being
• health-related data
• data concerning a person’s sex life or sexual orientation.

Florida Information Protection Act

Personal information means either of the following:

• An individual's first name or first initial and last name in combination with:
• A social security number
• A driver's license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
• A financial account number or credit card or debit card number, in combination with any required security code, access code or passport that is necessary to access the individual's financial account
• Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
• An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual

1. Names
2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
3. All elements of dates except year
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code

A “limited data set” is information from which certain identifiers have been removed. Specifically, all the following identifiers must be removed for health information to be considered a “limited data set”:

1. Names
2. street addresses (other than town, city, state and zip code)
3. telephone numbers
4. fax numbers
5. email addresses
6. Social Security numbers
7. medical records numbers
8. health plan beneficiary numbers
9. account numbers
10. certificate license numbers
11. vehicle identifiers and serial numbers, including license plates
12. device identifiers and serial numbers
13. URLs
14. IP address numbers
15. biometric identifiers
16. full face photos (or comparable images)

• dates (i.e., admission, discharge, service, DOB, DOD)
• city, state, zip code (five digits or more)

For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the UHealth Privacy Office a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page

• The electronic file should be emailed to privacy@med.miami.edu with “Study # Spreadsheet File” as the subject.
  • For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.

“Assistance with facilitating clinical data collection provided by the Data Broker group of the University of Miami’s Office of the Vice Provost for Research + Scholarship.”

Guidance to Safe Harbor Method

Privacy By Design Requirements