Alert: The Plaza Building will remain closed through Jan. 20, 2025.

Learn More

Data Sharing

As impacted by the Health Insurance Portability and Accountability Act

What kind of data/information are you wanting to obtain or share? When the information is about living people, the HIPAA regulations come into effect.

Before you begin your research project, determine what pieces of information about living people, or their cells or tissues that you will need to include in data you obtain, receive or store.

See the information below in chart form:

Data Sharing Flow Chart

Information from which all of the 18 "identifiers" have been removed.

De-identified information is not subject to HIPAA. Proceed to freely share any de-identified data.

Please note that number 18 opens the possibility to other information, which can sometimes be subjective, and has some implications with respect to research. Please contact the Privacy Officer for assistance in determining category of additional information not clearly named in the list of identifiers.

An LDS is described as health information that excludes certain direct identifiers​ but that may include city; state; ZIP Code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers.

The direct identifiers listed in the Privacy Rule's limited data set provisions apply both to information about the individual and to information about the individual's relatives, employers, or household members.

Use of a limited data set​ requires completion of a Data Use Agreement (DUA) prior to beginning the research project.

Protected health information is identifiable if it includes any of certain identifiers, or if it includes information from which a determined person would be able to figure out an identity. Using any PHI in research requires careful technical and physical protections.

If the PHI is obtained internally, through collection of information within the lab doing the research, the information must be protected from inadvertent access by an untrained, and/or unauthorized individual. (See protection guidelines​)

IF the PHI is to be obtained from, or to be shared with, an entity external to the lab doing the research, completion of a Business Associate Agreement (BAA), prior to beginning the research project, is required.

To be sure of your process, use the "BAA Decision Tree"​​

Data Sharing Request Form


The data sharing request online form should be used for the submission of data-related requests. Upon submission of the form, the Office of Regulatory Compliance will automatically be notified of your request and someone will be in touch with you soon.

Please direct any separate communications regarding data sharing requests/agreement to reg.compliance@CUAnschutz.edu.

HIPAA Contacts


CMS Login