For Researchers / Data Users

Introduction

The North Dakota Statewide Cancer Registry (NDSCR) has the responsibility for the registry of cancer information for the state of North Dakota. Confidentiality of data is maintained by NDSCR. All requests for data must be in writing and include the summary research protocol or purpose, the data needed to completed study and any Institutional Review Board [IRB] information.

Depending upon the type of data needed, requests may be reviewed by the NDSCR Epidemiologist, Registry Co-Program Directors, the NDSCR Advisory Committee, the North Dakota Department of Health [NDDoH] HIPAA Privacy Office and/or the NDDoH IRB. The NDSCR and HIPAA Privacy Office have the authority to deny a data request.

Procedure*

The NDDoH may release health information data as outlined as follows.

The NDDoH may disclose:

  •  Protected health information with the individual’s specific written authorization. Such authorization must meet all the requirements described in the Authorizations Policy (P-004).
  •  De-identified health information.
  •  A limited data set with a data use agreement.
  •  Health information for research if the information is not de-identified or is not a limited data set, with or without the individual’s authorization, if the NDDoH uses a data use agreement and obtains documentation that an alteration to, or waiver of, the individual’s authorization has been approved by:
    •  The NDDoH privacy board, or
    •  The NDDoH Institutional Review Board (IRB) if the research is in part conducted by an NDDoH employee for the Department of Health.
  •  Decedents’ information with a data use agreement. No IRB or privacy board review is needed. Consistent with the minimum necessary policy (P-012), the minimum necessary information will be disclosed. In addition, for research on decedents’ information, the NDDoH will obtain:
    •  Representation from the researcher that the information sought is solely for research on the PHI of decedents.
    • Assurance that there will be no attempt to contact family members.
    • Representation that the PHI requested is necessary for the research purpose.
    •  Documentation of the death of such individuals, (if applicable).
  •  PHI when the NDDoH is operating as a public health authority. The NDDoH is authorized to disclose individual information without authorization for the purpose of preventing or controlling disease, injury or disability and to conduct a public health surveillance, investigation and intervention.
  • Information to a known public health authority. If the public health authority status of an organization is not known, the NDDoH will require a business associate agreement or data use agreement to be completed. Dependent upon the reason for the request from a public health authority, the NDDoH may require a business associate agreement or data use agreement be completed prior to disclosure of PHI to another public health authority.
  •  Information without individual authorization to the extent that such disclosure is required or permitted by law.

Any disclosures not consistent with this policy are a violation of NDDoH policies and procedures and federal HIPAA regulations. Sanctions may be imposed consistent with the Workforce Sanctions policy (P-027).

De-identified Health Information

  •  The NDDoH may disclose de-identified health information without the written authorization of the individual when the health information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. The NDDoH will use reasonable discretion when disclosing de-identified health information.
  •  The NDDoH may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate to create the de-identified information.
  •  The NDDoH may determine that health information is not individually identifiable health information (de-identified) if the following identifiers of the individual or of relatives, employers, or household members of the individual are removed and if the NDDoH does not have knowledge that the information could be used alone or in combination with other information to identify the individual:
    • Names
    • All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocode, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
      • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and
      • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000.
    •  All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    • Telephone numbers
    • Fax numbers
    •  Electronic mail addresses
    •  Social security numbers
    •  Medical record numbers
    •  Health plan beneficiary numbers
    •  Account numbers
    •  Certificate/license numbers
    •  Vehicle identifiers and serial numbers, including license plate numbers
    •  Device identifiers and serial numbers
    •  Web Universal Resource Locators (URLs)
    •  Internet Protocol (IP) address numbers
    •  Biometric identifiers, including finger and voice prints
    •  Full face photographic images and any comparable images
    • Any other unique identifying number, characteristic or code
  • The NDDoH may also determine that health information is not individually identifiable health information (de-identified) if:
    •  A person within the NDDoH who has appropriate knowledge and experience with statistical and scientific principles and methods for rendering information not individually identifiable:
      •  Determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.
      •  Documents the methods and results of the analysis that justify such determination.
  •  The NDDoH may assign a code or other means of record identification to allow information de-identified to be re-identified if:
    •  The code or other means of record identification is not derived from or related to information about the individual and is not capable of being translated in order to identify the individual.
    •  The code or other means is not used for any other purpose and does not disclose the mechanism for re-identification.
  •  De-identified information disclosed via Internet access will be accompanied by a statement notifying the user that:
    •  Linking the data to other data for the purpose of identifying individuals is prohibited.
    •  The user must report to the NDDoH any inadvertent discovery of the identity of any person.
    •  The user must make no use of the discovery.
    •  By using this data, the user signifies agreement to comply with the above statements.

Limited Data Sets

  •  The NDDoH may disclose protected health information (PHI) for research, public health or health-care operations without the written authorization of the individual if the information is a limited data set and the NDDoH enters into a data use agreement with the limited data set recipient.
  •  A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:
    •  Names
    •  Postal address information, other than town or city, county, state and zip code
    •  Telephone numbers
    •  Fax numbers
    •  Electronic mail addresses
    •  Social security numbers
    •  Medical record numbers
    •  Health plan beneficiary numbers
    •  Account numbers
    •  Certificate/license numbers
    •  Vehicle identifiers and serial numbers, including license plate numbers
    •  Device identifiers and serial numbers
    •  Web Universal Resource Locators (URLs)
    •  Internet Protocol (IP) address numbers
    •  Biometric identifiers, including finger and voice prints
  •  Full face photographic images and any comparable images
    The NDDoH may disclose a limited data set only if the NDDoH obtains satisfactory assurance, in the form of a data use agreement, that the limited data set recipient will only use or disclose the PHI for limited purposes.

Data use agreements

  •  All requests for data which require a data use agreement are to be sent to the NDDoH HIPAA coordinator.
  •  A data use agreement between the NDDoH and the limited data set recipient must:
    •  Establish the permitted uses and disclosures of the information by the limited data set recipient. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate these requirements.
    •  Establish who is permitted to use or receive the limited data set.
    •  Provide that the limited data set recipient will:
      •  Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law.
      •  Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement.
      •  Report to the NDDoH any use or disclosure of which it becomes aware not provided for by its data use agreement.
      •  Ensure that any agents to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to this information.
      •  Not identify the information or contact the individuals.
    •  Be signed and dated by the requestor, the appropriate NDDoH division director, and the NDDoH privacy officer.
  •  The proposed data use agreement will be sent to the requestor for review. The requestor must sign and date the agreement and return to the NDDoH HIPAA coordinator.
  •  The appropriate NDDoH division director will be requested to review the data use agreement, sign and date.
  •  The NDDoH HIPAA coordinator will review the completed data use agreement, sign and date.
  •  A data use agreement number will be assigned to the data use agreement when the agreement has been finalized and all appropriate signatures have been obtained.
  •  A copy of the signed data use agreement will be given to the requestor and the appropriate NDDoH division. A copy will also be maintained by the HIPAA coordinator. The signed original will be forwarded by the HIPAA coordinator to the NDDoH Administrative Services Section. The original will be maintained by the NDDoH Administrative Services Section in a secure file.
  • Documentation of the information released (actual copies and/or database fields, etc.) is to be retained by the appropriate NDDoH division.
  •  If the NDDoH knows of a pattern of activity or practice of the limited data set recipient that constitutes a breach or violation of the data use agreement, the NDDoH will take reasonable steps to end the breach or violation, or the NDDoH will discontinue disclosure of protected health information to the recipient and report the problem to the Secretary of the U.S. Department of Health and Human Services (DHHS).
  •  A data use agreement also may be used in other situations as deemed necessary by the NDDoH HIPAA coordinator.

Privacy Board

(In relation to this section of the procedure, any reference to an IRB is to be considered an IRB from an organization outside of the NDDoH. The NDDoH IRB policies and procedures are not included in the NDDoH HIPAA policies.)

  • The NDDoH Privacy Board must:
    • Have NDDoH staff members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests.
    •  Include at least one member who is not affiliated with the NDDoH or with any entity conducting or sponsoring the research and not related to any person who is affiliated with any such entities.
    •  Not have any member participating in a review of any project in which the member has a conflict of interest.
  • The chair of the NDDoH Privacy Board is the HIPAA coordinator.
  •  Prior to the research, the NDDoH obtains representations from the researcher that:
    •  The use or disclosure of PHI is necessary to prepare a research protocol or preparatory purpose.
    •  No PHI is to be removed from the NDDoH by the researcher until approval is granted.
    •  The PHI requested is necessary for the research purposes.
  •  For a disclosure permitted based on documentation of approval of an alteration or waiver, the documentation from the researcher if an IRB or the NDDoH if a privacy board must include:
    •  Identification of the IRB or privacy board and the date on which the alteration or waiver of authorization was approved.
      o A statement that the IRB or privacy board has determined that the alteration or waiver of authorization satisfies the following criteria:
      •  The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals based on:
        •  An adequate plan to protect the identifiers from improper use and disclosure.
        •  An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is health or research justification for retaining the identifiers or retention is required by law.
        •  Adequate written assurances that PHI will not be reused or disclosed to any other person or entity except as required by law, for authorized oversight of the research study or for other research for which the use or disclosure of PHI would be permitted.
      •  The research could not be conducted without the waiver or alteration.
      •  The research could not be conducted without access to and use of the PHI.
    •  A brief description of the PHI for which use or access has been determined to be necessary by the IRB and/or privacy board.
    •  A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures as follows:
      •  An IRB must follow the Common Rule as defined in the Federal Register.
      •  A privacy board must review the proposed research at meetings at which a majority of the privacy board members are present, including one member who is not affiliated with the NDDoH or with any entity conducting or sponsoring the research and not related to any person who is affiliated with any of those entities. The alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting unless the privacy board elects to use an expedited review procedure.
      • An expedited review procedure may be used if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the PHI for which use or disclosure is being sought. The review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board or by one or more members of the privacy board as designated by the chair.
    •  The documentation of the alteration or waiver of authorization must be signed by the chair or other member as designated by the chair of the IRB or the privacy board.

Definitions:

NDDoH – North Dakota Department of Health

Protected Health Information – Individually identifiable health information that is transmitted or maintained by electronic media or transmitted or maintained in any other form or medium

Individually Identifiable Health Information – Health information that includes demographic information which relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual and that identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual

Electronic Media – Electronic storage media, including memory devices in computers and any removable/transportable digital memory medium such as magnetic tape or skid, optical disk or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media includes the Internet, extranet, leased lines, dial-up lines, private networks and the physical movement of removable/transportable electronic storage media.

Research – Systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge

Public Health Authority – An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or individuals or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate

*North Dakota Department of Health HIPAA Policy, Release of Information, P-028.

Contacts:

Yun [Lucy] Zheng, MD, CTR
Co-Program Director
North Dakota Statewide Cancer Registry
Email: yun.zheng@med.und.edu

Or

Xudong Zhou, MD, CTR
Co-Program Director
North Dakota Statewide Cancer Registry
Email: xudong.zhou@med.und.edu

Or

Cristina Oancea, Ph.D.
Epidemiologist
North Dakota Statewide Cancer Registry
Email: cristina.oancea@med.und.edu

back to top