For Researchers / Data Users
The North Dakota Statewide Cancer Registry (NDSCR) has the responsibility for the registry of cancer
information for the state of North Dakota. Confidentiality of data is maintained by NDSCR. All requests
for data must be in writing (
NDSCR Data Request Form
) and include the summary research protocol or
purpose, the data needed to completed study and any Institutional Review Board [IRB] information.
Depending upon the type of data needed, requests may be reviewed by the NDSCR Epidemiologist,
Registry Co-Program Directors, the NDSCR Advisory Committee, the North Dakota Department of Health
[NDDoH] HIPAA Privacy Office and/or the NDDoH IRB. The NDSCR and HIPAA Privacy Office have the
authority to deny a data request.
The NDDoH may release health information data as outlined as follows.
The NDDoH may disclose:
Protected health information with the individual’s specific written authorization. Such authorization
must meet all the requirements described in the Authorizations Policy (P-004).
De-identified health information.
A limited data set with a data use agreement.
Health information for research if the information is not de-identified or is not a limited data set,
with or without the individual’s authorization, if the NDDoH uses a data use agreement and obtains
documentation that an alteration to, or waiver of, the individual’s authorization has been approved
o The NDDoH privacy board, or
o The NDDoH Institutional Review Board (IRB) if the research is in part conducted by an
NDDoH employee for the Department of Health.
Decedents’ information with a data use agreement. No IRB or privacy board review is needed.
Consistent with the minimum necessary policy (P-012), the minimum necessary information will be
disclosed. In addition, for research on decedents’ information, the NDDoH will obtain:
o Representation from the researcher that the information sought is solely for research on the
PHI of decedents.
o Assurance that there will be no attempt to contact family members.
o Representation that the PHI requested is necessary for the research purpose.
o Documentation of the death of such individuals, (if applicable).
PHI when the NDDoH is operating as a public health authority. The NDDoH is authorized to disclose
individual information without authorization for the purpose of preventing or controlling disease,
injury or disability and to conduct a public health surveillance, investigation and intervention.
Information to a known public health authority. If the public health authority status of an
organization is not known, the NDDoH will require a business associate agreement or data use
agreement to be completed. Dependent upon the reason for the request from a public health
authority, the NDDoH may require a business associate agreement or data use agreement be
completed prior to disclosure of PHI to another public health authority.
Information without individual authorization to the extent that such disclosure is required or
permitted by law.
Any disclosures not consistent with this policy are a violation of NDDoH policies and procedures and
federal HIPAA regulations. Sanctions may be imposed consistent with the Workforce Sanctions policy (P-
De-identified Health Information
The NDDoH may disclose de-identified health information without the written authorization of the
individual when the health information does not identify an individual and there is no reasonable
basis to believe that the information can be used to identify an individual.
The NDDoH will use reasonable discretion when disclosing de-identified health information. The
NDDoH may use protected health information to create information that is not individually
identifiable health information or disclose protected health information only to a business associate
to create the de-identified information.
The NDDoH may determine that health information is not individually identifiable health
information (de-identified) if the following identifiers of the individual or of relatives, employers, or
household members of the individual are removed and if the NDDoH does not hav e knowledge that
the information could be used alone or in combination with other information to identify the
o All geographic subdivisions smaller than a state, including street address, city, county,
precinct, zip code, and their equivalent geocode, except for the initial three digits of a zip
code if, according to the current publicly available data from the Bureau of the Census:
The geographic unit formed by combining all zip codes with the same three initial
digits contains more than 20,000 people, and
The initial three digits of a zip code for all such geographic units containing 20,000
or fewer people are changed to 000.
o All elements of dates (except year) for dates directly related to an individual, including birth
date, admission date, discharge date, date of death, and all ages over 89 and all elements of
dates (including year) indicative of such age, except that such ages and elements may be
aggregated into a single category of age 90 or older
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic or code The
NDDoH may also determine that health information is not individually identifiable health
information (de-identified) if:
o A person within the NDDoH who has appropriate knowledge and experience with statistical
and scientific principles and methods for rendering information not individually identifiable:
Determines that the risk is very small that the information could be used, alone or in
combination with other reasonably available information, by an anticipated
recipient to identify an individual who is a subject of the information.
Documents the methods and results of the analysis that justify such determination.
The NDDoH may assign a code or other means of record identification to allow information
deidentified to be re-identified if:
o The code or other means of record identification is not derived from or related to
information about the individual and is not capable of being translated in order to identify
o The code or other means is not used for any other purpose and does not disclose the
mechanism for re-identification.
De-identified information disclosed via Internet access will be accompanied by a statement notifying
the user that:
o Linking the data to other data for the purpose of identifying individuals is prohibited.
o The user must report to the NDDoH any inadvertent discovery of the identity of any person.
o The user must make no use of the discovery.
o By using this data, the user signifies agreement to comply with the above statements.
Limited Data Sets
The NDDoH may disclose protected health information (PHI) for research, public health or
healthcare operations without the written authorization of the individual if the information is a
limited data set and the NDDoH enters into a data use agreement with the limited data set
A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives,
employers or household members of the individual:
o Postal address information, other than town or city, county, state and zip code
o Telephone numbers
o Fax numbers
o Electronic mail addresses
o Social security numbers
o Medical record numbers
o Health plan beneficiary numbers
o Account numbers
o Certificate/license numbers
o Vehicle identifiers and serial numbers, including license plate numbers
o Device identifiers and serial numbers
o Web Universal Resource Locators (URLs)
o Internet Protocol (IP) address numbers
o Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images The NDDoH may disclose a limited data
set only if the NDDoH obtains satisfactory assurance, in the form of a data use agreement, that the
limited data set recipient will only use or disclose the PHI for limited purposes.
Data use agreements
All requests for data which require a data use agreement are to be sent to the NDDoH HIPAA
A data use agreement between the NDDoH and the limited data set recipient must:
o Establish the permitted uses and disclosures of the information by the limited data set
recipient. The data use agreement may not authorize the limited data set recipient to use or
further disclose the information in a manner that would violate these requirements.
o Establish who is permitted to use or receive the limited data set.
o Provide that the limited data set recipient will:
Not use or further disclose the information other than as permitted by the data use
agreement or as otherwise required by law.
Use appropriate safeguards to prevent use or disclosure of the information other
than as provided for by the data use agreement.
Report to the NDDoH any use or disclosure of which it becomes aware not provided
for by its data use agreement.
Ensure that any agents to whom it provides the limited data set agrees to the same
restrictions and conditions that apply to the limited data set recipient with respect
to this information.
Not identify the information or contact the individuals.
o Be signed and dated by the requestor, the appropriate NDDoH division director, and the
NDDoH privacy officer.
The proposed data use agreement will be sent to the requestor for review. The requestor must sign
and date the agreement and return to the NDDoH HIPAA coordinator.
The appropriate NDDoH division director will be requested to review the data use agreement, sign
The NDDoH HIPAA coordinator will review the completed data use agreement, sign and date.
A data use agreement number will be assigned to the data use agreement when the agreement has
been finalized and all appropriate signatures have been obtained. A copy of the signed data use
agreement will be given to the requestor and the appropriate NDDoH division.
A copy will also be maintained by the HIPAA coordinator. The signed original will be forwarded by
the HIPAA coordinator to the NDDoH Administrative Services Section. The original will be
maintained by the NDDoH Administrative Services Section in a secure file.
Documentation of the information released (actual copies and/or database fields, etc.) is to be
retained by the appropriate NDDoH division.
If the NDDoH knows of a pattern of activity or practice of the limited data set recipient that
constitutes a breach or violation of the data use agreement, the NDDoH will take reasonable steps
to end the breach or violation, or the NDDoH will discontinue disclosure of protected health
information to the recipient and report the problem to the Secretary of the U.S. Department of
Health and Human Services (DHHS).
A data use agreement also may be used in other situations as deemed necessary by the NDDoH
(In relation to this section of the procedure, any reference to an IRB is to be considered an IRB from an
organization outside of the NDDoH. The NDDoH IRB policies and procedures are not included in the
NDDoH HIPAA policies.)
The NDDoH Privacy Board must:
o Have NDDoH staff members with varying backgrounds and appropriate professional
competency as necessary to review the effect of the research protocol on the individual’s
privacy rights and related interests.
o Include at least one member who is not affiliated with the NDDoH or with any entity
conducting or sponsoring the research and not related to any person who is affiliated with
any such entities.
o Not have any member participating in a review of any project in which the member has a
conflict of interest.
The chair of the NDDoH Privacy Board is the HIPAA coordinator.
Prior to the research, the NDDoH obtains representations from the researcher that:
o The use or disclosure of PHI is necessary to prepare a research protocol or preparatory
o No PHI is to be removed from the NDDoH by the researcher until approval is granted.
o The PHI requested is necessary for the research purposes.
For a disclosure permitted based on documentation of approval of an alteration or waiver, the
documentation from the researcher if an IRB or the NDDoH if a privacy board must include:
o Identification of the IRB or privacy board and the date on which the alteration or waiver of
authorization was approved.
o A statement that the IRB or privacy board has determined that the alteration or waiver of
authorization satisfies the following criteria:
The use or disclosure of PHI involves no more than a minimal risk to the privacy of
individuals based on:
An adequate plan to protect the identifiers from improper use and
An adequate plan to destroy the identifiers at the earliest opportunity
consistent with conduct of the research, unless there is health or research
justification for retaining the identifiers or retention is required by law.
Adequate written assurances that PHI will not be reused or disclosed to any
other person or entity except as required by law, for authorized oversight of
the research study or for other research for which the use or disclosure of
PHI would be permitted.
The research could not be conducted without the waiver or alteration.
The research could not be conducted without access to and use of the PHI.
o A brief description of the PHI for which use or access has been determined to be necessary
by the IRB and/or privacy board.
o A statement that the alteration or waiver of authorization has been reviewed and approved
under either normal or expedited review procedures as follows:
An IRB must follow the Common Rule as defined in the Federal Register.
A privacy board must review the proposed research at meetings at which a majority
of the privacy board members are present, including one member who is not
affiliated with the NDDoH or with any entity conducting or sponsoring the research
and not related to any person who is affiliated with any of those entities. The
alteration or waiver of authorization must be approved by the majority of the
privacy board members present at the meeting unless the privacy board elects to
use an expedited review procedure.
An expedited review procedure may be used if the research involves no more than
minimal risk to the privacy of the individuals who are the subject of the PHI for
which use or disclosure is being sought. The review and approval of the alteration or
waiver of authorization may be carried out by the chair of the privacy board or by
one or more members of the privacy board as designated by the chair.
o The documentation of the alteration or waiver of authorization must be signed by the chair
or other member as designated by the chair of the IRB or the privacy board.
NDDoH – North Dakota Department of Health
Protected Health Information – Individually identifiable health information that is transmitted or
maintained by electronic media or transmitted or maintained in any other form or medium.
Individually Identifiable Health Information – Health information that includes demographic
information which relates to the past, present or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present or future payment for
the provision of health care to an individual and that identifies the individual or there is a reasonable
basis to believe the information can be used to identify the individual.
Electronic Media – Electronic storage media, including memory devices in computers and any
removable/transportable digital memory medium such as magnetic tape or skid, optical disk or
digital memory card; or transmission media used to exchange information already in electronic
storage media. Transmission media includes the Internet, extranet, leased lines, dial-up lines,
private networks and the physical movement of removable/transportable electronic storage media.
Research – Systematic investigation, including research development, testing and evaluation,
designed to develop or contribute to generalizable knowledge.
Public Health Authority – An agency or authority of the United States, a state, a territory, a political
subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of
authority from or contract with such public agency, including the employees or agents of such public
agency or its contractors or individuals or entities to whom it has granted authority, that is
responsible for public health matters as part of its official mandate.
*North Dakota Department of Health HIPAA Policy, Release of Information, P-028.
Note: For additional information regarding the data request document and the IRB request form,
please check the “Downloads” link from the NDSCR website.
Yun [Lucy] Zheng, MB, CTR
North Dakota Statewide Cancer Registry
Xudong Zhou, MB, CTR
North Dakota Statewide Cancer Registry
Cristina Oancea, MS, MS, Ph.D.
Epidemiologist North Dakota Statewide Cancer Registry