North Dakota Statewide Cancer Registry

For Researchers / Data Users

Introduction*

The North Dakota Statewide Cancer Registry (NDSCR) has the responsibility for the registry of cancer

information for the state of North Dakota. Confidentiality of data is maintained by NDSCR. All requests

for data must be in writing (NDSCR Data Request Form) and include the summary research protocol or

purpose, the data needed to completed study and any Institutional Review Board [IRB] information.

Depending upon the type of data needed, requests may be reviewed by the NDSCR Epidemiologist,

Registry Co-Program Directors, the NDSCR Advisory Committee, the North Dakota Department of Health

[NDDoH] HIPAA Privacy Office and/or the NDDoH IRB. The NDSCR and HIPAA Privacy Office have the

authority to deny a data request.

Procedure*

The NDDoH may release health information data as outlined as follows.

The NDDoH may disclose:

Protected health information with the individual’s specific written authorization. Such authorization

must meet all the requirements described in the Authorizations Policy (P-004).

De-identified health information.
A limited data set with a data use agreement.
Health information for research if the information is not de-identified or is not a limited data set,

with or without the individual’s authorization, if the NDDoH uses a data use agreement and obtains

documentation that an alteration to, or waiver of, the individual’s authorization has been approved

by:

o The NDDoH privacy board, or

o The NDDoH Institutional Review Board (IRB) if the research is in part conducted by an

NDDoH employee for the Department of Health.

Decedents’ information with a data use agreement. No IRB or privacy board review is needed.

Consistent with the minimum necessary policy (P-012), the minimum necessary information will be

disclosed. In addition, for research on decedents’ information, the NDDoH will obtain:

o Representation from the researcher that the information sought is solely for research on the

PHI of decedents.

o Assurance that there will be no attempt to contact family members.

o Representation that the PHI requested is necessary for the research purpose.

o Documentation of the death of such individuals, (if applicable).

PHI when the NDDoH is operating as a public health authority. The NDDoH is authorized to disclose

individual information without authorization for the purpose of preventing or controlling disease,

injury or disability and to conduct a public health surveillance, investigation and intervention.

Information to a known public health authority. If the public health authority status of an

organization is not known, the NDDoH will require a business associate agreement or data use

agreement to be completed. Dependent upon the reason for the request from a public health

authority, the NDDoH may require a business associate agreement or data use agreement be

completed prior to disclosure of PHI to another public health authority.

Information without individual authorization to the extent that such disclosure is required or

permitted by law.

Any disclosures not consistent with this policy are a violation of NDDoH policies and procedures and

federal HIPAA regulations. Sanctions may be imposed consistent with the Workforce Sanctions policy (P-

027).

De-identified Health Information

The NDDoH may disclose de-identified health information without the written authorization of the

individual when the health information does not identify an individual and there is no reasonable

basis to believe that the information can be used to identify an individual.

The NDDoH will use reasonable discretion when disclosing de-identified health information. The

NDDoH may use protected health information to create information that is not individually

identifiable health information or disclose protected health information only to a business associate

to create the de-identified information.

The NDDoH may determine that health information is not individually identifiable health

information (de-identified) if the following identifiers of the individual or of relatives, employers, or

household members of the individual are removed and if the NDDoH does not hav e knowledge that

the information could be used alone or in combination with other information to identify the

individual:

o Names

o All geographic subdivisions smaller than a state, including street address, city, county,

precinct, zip code, and their equivalent geocode, except for the initial three digits of a zip

code if, according to the current publicly available data from the Bureau of the Census:

√ The geographic unit formed by combining all zip codes with the same three initial

digits contains more than 20,000 people, and

√ The initial three digits of a zip code for all such geographic units containing 20,000

or fewer people are changed to 000.

o All elements of dates (except year) for dates directly related to an individual, including birth

date, admission date, discharge date, date of death, and all ages over 89 and all elements of

dates (including year) indicative of such age, except that such ages and elements may be

aggregated into a single category of age 90 or older

√ Telephone numbers

√ Fax numbers

√ Electronic mail addresses

√ Social security numbers

√ Medical record numbers

√ Health plan beneficiary numbers

√ Account numbers

√ Certificate/license numbers

√ Vehicle identifiers and serial numbers, including license plate numbers

√ Device identifiers and serial numbers

√ Web Universal Resource Locators (URLs)

√ Internet Protocol (IP) address numbers

√ Biometric identifiers, including finger and voice prints

√ Full face photographic images and any comparable images

√ Any other unique identifying number, characteristic or code The

NDDoH may also determine that health information is not individually identifiable health

information (de-identified) if:

o A person within the NDDoH who has appropriate knowledge and experience with statistical

and scientific principles and methods for rendering information not individually identifiable:

√ Determines that the risk is very small that the information could be used, alone or in

combination with other reasonably available information, by an anticipated

recipient to identify an individual who is a subject of the information.

√ Documents the methods and results of the analysis that justify such determination.

The NDDoH may assign a code or other means of record identification to allow information

deidentified to be re-identified if:

o The code or other means of record identification is not derived from or related to

information about the individual and is not capable of being translated in order to identify

the individual.

o The code or other means is not used for any other purpose and does not disclose the

mechanism for re-identification.

De-identified information disclosed via Internet access will be accompanied by a statement notifying

the user that:

o Linking the data to other data for the purpose of identifying individuals is prohibited.

o The user must report to the NDDoH any inadvertent discovery of the identity of any person.

o The user must make no use of the discovery.

o By using this data, the user signifies agreement to comply with the above statements.

Limited Data Sets

The NDDoH may disclose protected health information (PHI) for research, public health or

healthcare operations without the written authorization of the individual if the information is a

limited data set and the NDDoH enters into a data use agreement with the limited data set

recipient.

A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives,

employers or household members of the individual:

o Names

o Postal address information, other than town or city, county, state and zip code

o Telephone numbers

o Fax numbers

o Electronic mail addresses

o Social security numbers

o Medical record numbers

o Health plan beneficiary numbers

o Account numbers

o Certificate/license numbers

o Vehicle identifiers and serial numbers, including license plate numbers

o Device identifiers and serial numbers

o Web Universal Resource Locators (URLs)

o Internet Protocol (IP) address numbers

o Biometric identifiers, including finger and voice prints

Full face photographic images and any comparable images The NDDoH may disclose a limited data

set only if the NDDoH obtains satisfactory assurance, in the form of a data use agreement, that the

limited data set recipient will only use or disclose the PHI for limited purposes.

Data use agreements

All requests for data which require a data use agreement are to be sent to the NDDoH HIPAA

coordinator.

A data use agreement between the NDDoH and the limited data set recipient must:

o Establish the permitted uses and disclosures of the information by the limited data set

recipient. The data use agreement may not authorize the limited data set recipient to use or

further disclose the information in a manner that would violate these requirements.

o Establish who is permitted to use or receive the limited data set.

o Provide that the limited data set recipient will:

√ Not use or further disclose the information other than as permitted by the data use

agreement or as otherwise required by law.

√ Use appropriate safeguards to prevent use or disclosure of the information other

than as provided for by the data use agreement.

√ Report to the NDDoH any use or disclosure of which it becomes aware not provided

for by its data use agreement.

√ Ensure that any agents to whom it provides the limited data set agrees to the same

restrictions and conditions that apply to the limited data set recipient with respect

to this information.

√ Not identify the information or contact the individuals.

o Be signed and dated by the requestor, the appropriate NDDoH division director, and the

NDDoH privacy officer.

The proposed data use agreement will be sent to the requestor for review. The requestor must sign

and date the agreement and return to the NDDoH HIPAA coordinator.

The appropriate NDDoH division director will be requested to review the data use agreement, sign

and date.

The NDDoH HIPAA coordinator will review the completed data use agreement, sign and date.
A data use agreement number will be assigned to the data use agreement when the agreement has

been finalized and all appropriate signatures have been obtained. A copy of the signed data use

agreement will be given to the requestor and the appropriate NDDoH division.

A copy will also be maintained by the HIPAA coordinator. The signed original will be forwarded by

the HIPAA coordinator to the NDDoH Administrative Services Section. The original will be

maintained by the NDDoH Administrative Services Section in a secure file.

Documentation of the information released (actual copies and/or database fields, etc.) is to be

retained by the appropriate NDDoH division.

If the NDDoH knows of a pattern of activity or practice of the limited data set recipient that

constitutes a breach or violation of the data use agreement, the NDDoH will take reasonable steps

to end the breach or violation, or the NDDoH will discontinue disclosure of protected health

information to the recipient and report the problem to the Secretary of the U.S. Department of

Health and Human Services (DHHS).

A data use agreement also may be used in other situations as deemed necessary by the NDDoH

HIPAA coordinator.

Privacy Board

(In relation to this section of the procedure, any reference to an IRB is to be considered an IRB from an

organization outside of the NDDoH. The NDDoH IRB policies and procedures are not included in the

NDDoH HIPAA policies.)

The NDDoH Privacy Board must:

o Have NDDoH staff members with varying backgrounds and appropriate professional

competency as necessary to review the effect of the research protocol on the individual’s

privacy rights and related interests.

o Include at least one member who is not affiliated with the NDDoH or with any entity

conducting or sponsoring the research and not related to any person who is affiliated with

any such entities.

o Not have any member participating in a review of any project in which the member has a

conflict of interest.

The chair of the NDDoH Privacy Board is the HIPAA coordinator.
Prior to the research, the NDDoH obtains representations from the researcher that:

o The use or disclosure of PHI is necessary to prepare a research protocol or preparatory

purpose.

o No PHI is to be removed from the NDDoH by the researcher until approval is granted.

o The PHI requested is necessary for the research purposes.

For a disclosure permitted based on documentation of approval of an alteration or waiver, the

documentation from the researcher if an IRB or the NDDoH if a privacy board must include:

o Identification of the IRB or privacy board and the date on which the alteration or waiver of

authorization was approved.

o A statement that the IRB or privacy board has determined that the alteration or waiver of

authorization satisfies the following criteria:

√ The use or disclosure of PHI involves no more than a minimal risk to the privacy of

individuals based on:

♦ An adequate plan to protect the identifiers from improper use and

disclosure.

♦ An adequate plan to destroy the identifiers at the earliest opportunity

consistent with conduct of the research, unless there is health or research

justification for retaining the identifiers or retention is required by law.

♦ Adequate written assurances that PHI will not be reused or disclosed to any

other person or entity except as required by law, for authorized oversight of

the research study or for other research for which the use or disclosure of

PHI would be permitted.

√ The research could not be conducted without the waiver or alteration.

√ The research could not be conducted without access to and use of the PHI.

o A brief description of the PHI for which use or access has been determined to be necessary

by the IRB and/or privacy board.

o A statement that the alteration or waiver of authorization has been reviewed and approved

under either normal or expedited review procedures as follows:

√ An IRB must follow the Common Rule as defined in the Federal Register.

√ A privacy board must review the proposed research at meetings at which a majority

of the privacy board members are present, including one member who is not

affiliated with the NDDoH or with any entity conducting or sponsoring the research

and not related to any person who is affiliated with any of those entities. The

alteration or waiver of authorization must be approved by the majority of the

privacy board members present at the meeting unless the privacy board elects to

use an expedited review procedure.

√ An expedited review procedure may be used if the research involves no more than

minimal risk to the privacy of the individuals who are the subject of the PHI for

which use or disclosure is being sought. The review and approval of the alteration or

waiver of authorization may be carried out by the chair of the privacy board or by

one or more members of the privacy board as designated by the chair.

o The documentation of the alteration or waiver of authorization must be signed by the chair

or other member as designated by the chair of the IRB or the privacy board.

Definitions:

NDDoH – North Dakota Department of Health

Protected Health Information – Individually identifiable health information that is transmitted or

maintained by electronic media or transmitted or maintained in any other form or medium.

Individually Identifiable Health Information – Health information that includes demographic

information which relates to the past, present or future physical or mental health or condition of an

individual; the provision of health care to an individual; or the past, present or future payment for

the provision of health care to an individual and that identifies the individual or there is a reasonable

basis to believe the information can be used to identify the individual.

Electronic Media – Electronic storage media, including memory devices in computers and any

removable/transportable digital memory medium such as magnetic tape or skid, optical disk or

digital memory card; or transmission media used to exchange information already in electronic

storage media. Transmission media includes the Internet, extranet, leased lines, dial-up lines,

private networks and the physical movement of removable/transportable electronic storage media.

Research – Systematic investigation, including research development, testing and evaluation,

designed to develop or contribute to generalizable knowledge.

Public Health Authority – An agency or authority of the United States, a state, a territory, a political

subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of

authority from or contract with such public agency, including the employees or agents of such public

agency or its contractors or individuals or entities to whom it has granted authority, that is

responsible for public health matters as part of its official mandate.

*North Dakota Department of Health HIPAA Policy, Release of Information, P-028.

Note: For additional information regarding the data request document and the IRB request form,

please check the “Downloads” link from the NDSCR website.

Contacts:

Yun [Lucy] Zheng, MB, CTR

Co-Program Director

North Dakota Statewide Cancer Registry

Email: yun.zeng@und.edu

Xudong Zhou, MB, CTR

Co-Program Director

North Dakota Statewide Cancer Registry

Email: xudong.zhou@und.edu

Cristina Oancea, MS, MS, Ph.D.

Epidemiologist North Dakota Statewide Cancer Registry

Email: cristina.oancea@und.edu