Data Broker Services


The mission of Data Broker Services is to provide a centralized, standardized review of all requests for clinical data at the University and its health system. Data is increasingly the lifeblood of the organization and must flow to meet its needs. In an increasingly complex regulatory environment with concerns over information privacy and security, the flows of data, particularly identifiable and other sensitive data, must be balanced against compliance, security and regulatory risk. Data Broker Services act as an essential component of our overall data protection strategy, while facilitating the institution’s overall goals for delivering high quality healthcare, transforming patient care through research and educating the next generation of medical leaders.

The data broker program serves as an independent intermediary between the clinical enterprise and requesters of clinical data, primarily the research community, but also increasingly facilitates Business/Finance decision-making, healthcare operations, quality improvement and other business needs for UHealth/Miller School of Medicine. Data flows and analytics are essential for strategic planning at the parent UHealth and major facility level, as well as tactically for clinical departments and related business units. We seek to enhance our overall competitive position as an academic medical center and as the leading provider of healthcare services in South Florida and regionally.

Requesting Clinical Data

There are three ways to submit a Clinical Data Request to the Data Broker group: emailing UMIT, submitting a request through the UMIT Self-Service portal, and submitting a request for a Consent to Contact participant list via REDCap. 

Use the clinical data request form available on the UMIT Service Now Self-Service Portal. You will be prompted to login through UMIT’s Single Sign On page (DUO dual factor authentication) before being presented with the Service Now screen.

  • Make sure you are on the Homepage. If you are not, select Homepage from the left menu options and then choose Order Items & Services.
  • On the Order Items & Services page, select Clinical Data Request form.
  • Required fields have an *.
  • You must accept the Terms and Conditions by checking the box.
  • Attach any documents by using the paperclip icon available at the top of the form.
  • Scroll up and submit your request. Note: If you did not complete one of the required fields you will see a pop-up listing all missing required fields.
  • Click “OK” and the required fields will display with a red *.

Requests may be sent via email to with the Data Broker group ( cc’ed.

Briefly describe the data request and mention that the request is for clinical data and should be forwarded to the Data Broker Services (Clinical) group for review and approval. You can attach any documentation pertinent to the request, such as an IRB approval letter, Preparatory to Research Form E, etc. This request causes a ticket to be created in the UM IT Service Now system. All requests including reason, authorization and data details are documented in the Service Now platform.

Submitting a request for a Consent to Contact participant list via REDCap

Prior to submission, check the following:

  • Feasibility – perform a feasibility check/query using existing tools (i.e. URIDE, Slicer Dicer) to verify whether UHealth has patients meeting study criteria
  • Inclusion/Exclusion Criteria - Determine the applicable Diagnosis Codes (ICD-10/ICD-9) and Procedure Codes (CPT/HCPCS) as well as other relevant criteria (age ranges, providers, locations, start and end dates of service) for the population of interest
  • IRB Approved Protocol – have approval and eProst number
  • Consent to Contact must be listed as a method of recruitment in the study protocol
    • Related Consent to Contact documents (i.e. script, sample dialogues, etc.) need to be listed in eProst
  • Obtain a waiver of authorization from the IRB
  • Study team members that will be calling the patients should be listed on the Study Team section in eProst
    • Have names and c-numbers
  • Complete the Consent to Contact REDCap form available here

What to include:

  • eProst Number
  • Project Title
  • PI Name & UM e-mail
  • Project Summary
  • Research area/pillars
  • Inclusion/Exclusion criteria
  • Study team member names & c-numbers of who will be calling and accessing participant data
  • Date range for request


  • Please obtain the appropriate HIPAA waivers of authorization prior to submitting the Consent to Contact request. Please review the HSRO’s Consent to Contact page for additional information.
  • Complete the Consent to Contact script template.
  • Consent to Contact subject list will only be available in REDCap for 90 days
  • Refreshed/updated consent to contact lists can be requested

Contact Information

What to Include in a Clinical Data Request

Open All Tabs
  • Request for Research

    • Ensure:
      • Study is IRB approved and active
      • Recipient of data is on study team
      • Requested criteria match protocol
      • Requested fields match protocol
    • Provide IRB eProst study number
    • Provide Inclusion/Exclusion Criteria
    • List fields/columns to include in the data output

  • Request for Preparatory to Research

    • Ensure Investigator’s Certification for Reviews Preparatory to Research form submitted to IRB
    • Attach copy of completed form
    • Provide Inclusion/Exclusion Criteria
    • List fields/columns to include in the data output

  • Request related to Healthcare Operations

    • Briefly explain reason the data is needed
    • Provide contact information for administrator authorizing this request
    • Provide Inclusion/Exclusion Criteria
    • List fields/columns to include in the data output

  • General guidelines for requests

    • Reason for data request
    • Inclusion/Exclusion Criteria to select the appropriate population
      • These criteria could include: dates of service, ICD diagnosis codes, CPT procedure codes, provider, patient gender, patient age, service location, etc.
      • Note: Data from December 1, 2010 onwards is available from UChart
      • For Medical Chart data prior to December 1, 2010, a separate request will need to be submitted. Data fulfillment is completed by the third party vendor
    • Fields/columns to include in the data output

Services and Resources

Patient Contact Lists & Other Common Requests

Patient contact lists for outreach purposes, access to Epic cubes for billing, case logs for credentialing, workbench data reviews, data transfers, dashboard publications

Data Handling Guidelines

Best practices for adequately safeguarding and securing sensitive or confidential information.

Frequently Asked Questions

Open All Tabs
  • What are best data practices?

    • Please refer to the Data Broker’s Data Handling Guidelines page.
    • Please refer to the Telecommuting and Remote Work Guidelines page for information on telecommuting guidelines.

  • What is PHI?

    Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

  • What are the direct/indirect identifiers related to PHI?

    1. Names
    2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
    3. All elements of dates except year
    4. Phone numbers
    5. Fax numbers
    6. Electronic mail addresses
    7. Social Security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers, including license plate numbers
    13. Device identifiers and serial numbers
    14. Web Universal Resource Locators (URLs)
    15. Internet Protocol (IP) address numbers
    16. Biometric identifiers, including finger and voice prints
    17. Full face photographic images and any comparable images
    18. Any other unique identifying number, characteristic, or code

  • What is a limited data set?

    A “limited data set” is information from which certain identifiers have been removed. Specifically, all the following identifiers must be removed for health information to be considered a “limited data set”:


    1. Names
    2. street addresses (other than town, city, state and zip code)
    3. telephone numbers
    4. fax numbers
    5. email addresses
    6. Social Security numbers
    7. medical records numbers
    8. health plan beneficiary numbers
    9. account numbers
    10. certificate license numbers
    11. vehicle identifiers and serial numbers, including license plates
    12. device identifiers and serial numbers
    13. URLs
    14. IP address numbers
    15. biometric identifiers
    16. full face photos (or comparable images)
    Identifiable information allowed includes:


    • dates (i.e., admission, discharge, service, DOB, DOD)
    • city, state, zip code (five digits or more)

  • What is Attachment 45? - Accounting for Disclosure

    For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the UHealth Privacy Office a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page

    • The electronic file should be emailed to with “Study # Spreadsheet File” as the subject.
      • For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.

  • How to cite Data Broker services in papers, posters, presentations, etc.

    “Assistance with facilitating clinical data collection provided by the Data Broker group of the University of Miami’s Office of the Vice Provost for Research + Scholarship.”