HIPAA Limited Data Set
REG12.60.21 Current Version
History: Effective: January 8, 2004; September 19, 2013
Revised: September 18, 2013
Related Policies: Minimum Necessary Uses/Disclosures of PHI
Additional Resources: 45 CFR 164 Subpart E - Privacy of Individually Identifiable Health Information
Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule,"78 Federal Register 17 (25 January 2013), pp. 5566-5702
ECU Healthcare Components
Contact Information: ECU HIPAA Privacy Office, 252-744-5200
1.1. To provide guidance to East Carolina University,s Health Care Components (,ECU Health Care Components,) on defining a Limited Data Set, when a Limited Data Set may be Used or Disclosed, and under what circumstances a Data Use Agreement is required for the Use, Disclosure of, or request for a Limited Data Set.
2.1. Covered Entity means a health plan, health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
2.2. Data Use Agreement is an agreement between a Covered Entity and a person or entity that receive a Limited Data Set. The agreement must state that the recipient will only Use or Disclose the information in the Limited Data Set for specific limited purposes.
2.3. Disclosure means the release, transfer, provision of access to, or divulging in any manner of any information outside ECU,s Health Care Components.
2.4. Health Care Operations generally means:
2.4.1. Conducting quality assessment and improvement activities, reviewing the qualifications and performance of health care professionals, conducting training programs, accreditation, certification, licensing and credentialing activities;
2.4.2. Conducting or arranging for medical review, audits, and legal services; and
2.4.3. Business development, planning and management, cost management, and general administrative activities.
2.5. Limited Data Set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
2.5.1. (1) Names; (2) postal address information other than town or city, state, and zip code; (3) telephone numbers; (4) fax numbers; (5) email addresses; (6) social security numbers; (7) medical record numbers; (8) health plan beneficiary numbers; (9) account numbers; (10) certificate/license numbers; (11) vehicle identifiers and serial numbers, including license plate numbers; (12) device identifiers and serial numbers; (13) web URLs; (14) IP address numbers; (15) biometric identifiers, including finger and voice prints; and (16) full face photographic images and any other comparable images
2.5.2. A Limited Data Set may include: (1) zip codes; (2) geographical codes; (3) dates of birth and other date information, i.e., date of service; and (4) any other code not specified in 1-16 above.
2.6. Minimum Necessary means limiting the PHI used, Disclosed or requested to the amount reasonably necessary to accomplish the intended purpose of the Use, Disclosure or request .
2.7. Protected Health Information means:
2.7.1. Individually identifiable information, that is a subset of health information, including demographic information collected from an individual, and:
188.8.131.52. is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
184.108.40.206. relates to the past, present, or future physical or mental health or condition of a subject; the provision of health care to a subject; or the past, present, or future payment for the provision of health care to a subject; and
220.127.116.11.1. That identifies the subject; or
18.104.22.168.2. With respect to which there is reasonable basis to believe the information can be used to identify the individual.
2.7.2. PHI can be:
22.214.171.124. Transmitted by electronic media;
126.96.36.199. Maintained in electronic media; or
188.8.131.52. Transmitted or maintained in any other form or medium.
2.7.3. PHI excludes individually identifiable information that is
184.108.40.206. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20. U.S.C. 1232g;
220.127.116.11. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
18.104.22.168. In employment records held by a covered entity in its role as employer; and
22.214.171.124. Regarding a person who has been deceased for more than 50 years.
2.8. Research is a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
2.9. Use means the sharing, employment, application, utilization, examination, or analysis of information within ECU,s Health Care Components.
2.10. Workforce means employees, volunteers, trainees, learners, faculty, students and other persons whose conduct in the performance of work for an ECU Health Care Component, is under the direct control of such ECU Health Care Component, whether or not they are paid by the ECU Health Care Component.
3.1. East Carolina University,s Health Care Components (,ECU,'s Health Care Components,) may use, disclose or request a Limited Data Set when more information than is included in de-identified information is needed to accomplish one or more of the following limited purposes:
3.1.1. Health Care Operations (excluding disclosures for operations as part of ECU,s Health Care Components participation in an Organized Health Care Arrangement with Vidant Medical Center and uses associated with operations by permitted access levels to protected health information (,PHI,));
3.1.2. Research; and
3.1.3. Public health.
3.2. The Limited Data Set will be Used, Disclosed or requested for the purposes of this section only after a properly executed Data Use Agreement is obtained. The Data Use Agreement must fully justify the use of the Limited Data Set including why de-identified information may not serve the stated purpose.
3.3. Further, under Section 13405(b) of HITECH and until the U.S. Department of Health and Human Services publishes guidance, ECU Health Care Components will be treated as compliant with the Minimum Necessary standard if the ECU Health Care Component, to the extent practicable, Uses, Discloses or requests a Limited Data Set in lieu of PHI when such PHI is permitted to be used, disclosed or requested unless the ECU Health Care Component has determined that a Limited Data Set is not sufficient to accomplish the purpose of the Use, Disclosure or request. Under this paragraph 3.3, a Data Use Agreement is not required to Use, Disclose or request a Limited Data Set.
4.1. Health Care Operations
4.1.1. Use , A request for PHI to facilitate a Use in Health Care Operations by an ECU Health Care Component Workforce member will be restricted to a Limited Data Set unless it is determined by the Privacy Officer that a Limited Data Set is not sufficient to accomplish the Health Care operations activity.
126.96.36.199. If the Limited Data Set is not sufficient, Use the Minimum Necessary PHI to accomplish this purpose.
188.8.131.52. If the Privacy Officer determines that a Limited Data Set is sufficient to accomplish the Health Care Operations activity, then the ECU HIPAA Privacy Officer may sign Data Use Agreements for Uses regarding health care operations.
4.1.2. Disclosure - A request for PHI to facilitate the health care operations of another Covered Entity will be reviewed by the ECU HIPAA Privacy Officer.
184.108.40.206. The determination will be made as follows:
220.127.116.11.1. Does the requesting Covered Entity have a present or past relationship with the individual who is subject of the PHI being requested?
18.104.22.168.1.1. If no, continue to paragraph 22.214.171.124.
126.96.36.199.1.2. If yes, continue to paragraph 188.8.131.52.2.
184.108.40.206.2. Doe the PHI requested pertain to that relationship?
220.127.116.11.2.1. If no, continue to paragraph 18.104.22.168.
22.214.171.124.2.2. If yes, then continue to paragraph 126.96.36.199.3.
188.8.131.52.3. Is the purpose of the disclosure for the purposes in paragraph 2.4.1 and 2.4.2 above?
184.108.40.206.3.1. If yes, then disclose a Limited Data Set unless it is determined by the Privacy Officer that a Limited Data Set is not sufficient to accomplish the Health Care Operations activity.
220.127.116.11.3.1.1. If the Limited Data Set is not sufficient, disclose the Minimum Necessary PHI to accomplish this purpose.
18.104.22.168. If the request for PHI for Healthcare Operations purposes is to a Covered Entity that has not had a relationship with the individual or if there is or was a relationship but the PHI requested does not pertain to that relationship, or if the Health Care Operations purpose is for other than the purposes provided in paragraphs 2.4.1 and 2.4.2 above, then only a Limited Data Set may be disclosed.
22.214.171.124. If a Limited Data Set is disclosed under paragraph 4.1.2., then the ECU HIPAA Privacy Officer will facilitate final approval and signature of a Data Use Agreement by the Executive Associate Vice Chancellor for Health Sciences Administration and Finance for Health Care Components in the Division of Health Sciences and Materials Management for other Health Care Components.
4.2.1. All requests for access to or the creation of PHI for research purposes will be directed to the Institutional Review Board (IRB) per the ECU Faculty Manual, Part VII, Section II, Paragraph II.B. If a Data Use Agreement is needed, the IRB will inform the researcher to contact the Privacy Officer for the appropriate entity.
4.2.2. Use - The Privacy Officer may sign Data Use Agreements for uses regarding research.
4.2.3. Disclosure - The ECU HIPAA Privacy Officer will facilitate final approval and signature of a Data Use Agreement by the Executive Associate Vice Chancellor for Health Sciences Administration and Finance for Health Care Components in the Division of Health Sciences and Materials Management for other Health Care Components.
4.3. Public Health Studies/Activities
4.3.1. Use ,All requests for access to or the creation of PHI for public health studies/activities will be directed to the Privacy Officer to complete a Data Use Agreement. The Privacy Officer may sign Data Use Agreements for uses regarding public health studies/activities.
4.3.2. Disclosure - A request for PHI to facilitate the public health studies/activities of another entity will be restricted to a Limited Data Set without the patients, authorization. The individual requesting the PHI must contact the Privacy Officer to initiate a Data Use Agreement. The ECU HIPAA Privacy Officer will facilitate final approval and signature of a Data Use Agreement by the Executive Associate Vice Chancellor for Health Sciences Administration and Finance for Health Care Components in the Division of Health Sciences and Materials Management for other Health Care Components.