Creating and Disclosing a Limited Data Set
Top Left Corner Top Right Corner
Last Updated: April 2003

Responsible University Officer:
  • Senior Vice President for Health Sciences, Privacy Officer

Procedure Contact:
Bottom Left Corner Bottom Right Corner

PROCEDURE

Individual health information may be used or disclosed for the purpose of health care operations, public health activities or research, as part of a limited data set when a data use agreement is in place between the holder of the individual health information and the recipient.

Health care components may use PHI to create a limited data set. Health care components may also disclose PHI to their business associates for the purpose of creating limited data sets, regardless of who will use the resulting limited data set.

REMOVAL OF IDENTIFIERS
The following identifiers must be removed for the individual, the individual's relatives, employers and household members to create a limited data set:

  1. Names
  2. Postal address information other than town/city, state and zip.
  3. Telephone number
  4. Fax number
  5. Email address
  6. Social security number
  7. Medical record number
  8. Health Plan Number
  9. Account Numbers
  10. Certificate or license numbers
  11. Vehicle identification/serial numbers, including license plate numbers
  12. Device identification/serial numbers
  13. Universal resource locators (URLs)
  14. Internet protocol addresses
  15. Biometric identifiers, including finger and voice prints
  16. Full face photographs and comparable images

DATA USE AGREEMENTS
A data use agreement must be in place between the health care component and the recipient of the limited data set before information may be disclosed as part of a limited data set. The data use agreement must contain satisfactory assurances that the limited data set recipient will only use or disclose the limited data set for the purposes set forth in the data use agreement.

Reasonable steps must be taken by the health care component to cure any breach or end any violation of the data use agreement of which it becomes aware.

The data use agreement must meet the following requirements:

  1. establish the permitted uses or disclosures of the information by the recipient;
  2. establish who is permitted to use or receive the limited data set;
  3. provide that the recipient will not use or further disclose the information other than as permitted by the agreement or required by law;
  4. provide that the recipient will use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the agreement;
  5. provide that the recipient will report to the University health care component any impermissible use or disclosure of which it becomes aware;
  6. require that the recipient ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions;
  7. provide that the recipient not identify the information or contact the individuals; and
  8. provide that if the attempts to cure a breach or end a violation are unsuccessful, disclosure of the limited data set to the recipient will be terminated and the problem will be reported to the Secretary.

Procedure FEEDBACK



Did this Procedure successfully answer your questions?
Yes No

Additional Comments


Email Address (So we can get back to you if we have questions about your comments.)