A “limited data set” is a limited set of identifiable patient information as defined in the Privacy Regulations issued under the Health Insurance Portability and Accountability Act, better known as “HIPAA”. A “limited data set” of information may be disclosed to an outside party without a patient’s authorization if certain conditions are met. First, the purpose of the disclosure may only be for research, public health or health care operations. Second, the person receiving the information must sign a data use agreement with Hopkins. This agreement has specific requirements which are discussed below.
A “limited data set” is information from which “facial” identifiers have been removed. Specifically, as it relates to the individual or his or her relatives, employers or household members, all the following identifiers must be removed in order for health information to be a “limited data set”:
- street addresses (other than town, city, state and zip code);
- telephone numbers;
- fax numbers;
- e-mail addresses;
- Social Security numbers;
- medical records numbers;
- health plan beneficiary numbers;
- account numbers;
- certificate license numbers;
- vehicle identifiers and serial numbers, including license plates;
- device identifiers and serial numbers;
- IP address numbers;
- biometric identifiers (including finger and voice prints); and
- full face photos (or comparable images).
The health information that may remain in the information disclosed includes:
- dates such as admission, discharge, service, DOB, DOD;
- city, state, five digit or more zip code; and
- ages in years, months or days or hours.
It is important to note that this information is still protected health information or “PHI” under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.
Data Use Agreements
Because a “limited data set” is still PHI, the Privacy Regulations contemplate that the privacy of individuals will be protected by requiring covered entities (Hopkins) to enter into data use agreements with recipients of “limited data sets”. The data use agreement must meet standards specified in the Privacy Regulations. A data use agreement must:
- establish the permitted uses and disclosures of the limited data set;
- identify who may use or receive the information;
- prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law;
- require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement;
- require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware;
- require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information will agree to the same restrictions as provided in the agreement; and
- prohibit the recipient from identifying the information or contacting the individuals.
The “limited data set” provisions also require covered entities to take reasonable steps to cure any breach by a recipient of the data use agreement. That is, if Hopkins determines that data provided to a recipient is being used in a manner not permitted by the agreement, it must work with the recipient to correct this problem. If these steps are unsuccessful, Hopkins would have to discontinue disclosure of PHI to the recipient under the data use agreement and report the problem to the Department of Health and Human Services (“DHHS”).
Creating the Limited Data Set
A covered entity (Hopkins) may use one of its own workforce to create the “limited data set”. DHHS also has indicated that a covered entity may allow a person requesting a “limited data set” to create it, so long as the person is acting as a business associate of the covered entity. A business associate is someone who is not part of the covered entity’s workforce but who will use the covered entity’s PHI to perform some task on behalf of the covered entity. (Examples of business associates are lawyers, accountants, firms that analyze patient data, etc.) The covered entity (Hopkins) must enter into a separate business associate agreement with the entity and the agreement must meet the requirements of the Privacy Regulations. Once the limited data set is created under the business associate agreement, all of the PHI, other than the PHI qualifying as the limited data set under the data use agreement, must be returned to the covered entity.
Thus, it is possible that someone at the recipient will act as the covered entity’s business associate to create the “limited data set” from a broader set of PHI. In such a case, the recipient will need to sign both the data use agreement and the business associate agreement.
Responsibility for Data Use Agreements
A. When Johns Hopkins is the provider of the data:
Hopkins has drafted a data use agreement form document for use by those who wish to disclose a “limited data set” to recipients. This template may be accessed at HIPAA IRB Form 9 . When Johns Hopkins is providing the limited data set, if any material change is to be made to this Johns Hopkins template form, or if another party’s version of a data use agreement is to be used, the Johns Hopkins HIPAA Office must review and approve the terms of the agreement. See HIPAA Policy template A.9.1 (at http://www.insidehopkinsmedicine.org/hipaa/Policies/A_9_1.doc). The HIPAA Office may be contacted at 410-735-6509 or at email@example.com.
B. When Johns Hopkins is the recipient of the data:
If a Johns Hopkins researcher is the recipient of a limited data set of PHI from a non-Johns Hopkins source, the Johns Hopkins researcher most likely will be asked to sign the other party’s Data Use Agreement. In such instance, the Johns Hopkins researcher is responsible for reviewing the Data Use Agreement and determining if it complies in material terms with the Johns Hopkins Data Use Agreement template. If the other party’s Data Use Agreement differs materially from the Johns Hopkins Data Use Agreement template, or if there is any uncertainty, the Johns Hopkins HIPAA Office must be consulted.
Disclosures of a “limited data set” are not subject to the HIPAA tracking/accounting requirements. The rationale appears to be that the marginal increase in privacy protections that such an accounting would provide is outweighed by its burdens. DHHS has taken the position that the privacy of individuals with respect to PHI disclosed in a “limited data set” can be adequately protected through a signed data use agreement.