HIPAA GENERAL OPERATING POLICY #33
LIMITED DATA SET
I. General
A HCC may use or disclose a limited data set that meets the requirements of this policy, if the HCC enters into a data use agreement with the limited data set recipient.
II. Definition
A limited Data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:
a. Names;
b. Postal address information, other than town or city, State and zip code;
c. Telephone numbers;
d. Fax numbers;
e. Electronic mail addresses;
f. Social security numbers;
g. Medical record numbers;
h. Health plan beneficiary numbers;
i. Account numbers;
j. Certificate/license numbers;
k. Vehicle identifiers, serial and license plate numbers;
l. Device identifiers and serial numbers;
m. URL’s;
n. IP address numbers;
o. Biometric identifiers, including finger and voice prints; and
p. Full-face photographs and comparable images.
III. Permitted Purposes
a. A HCC may use or disclose a limited data set only for the purposes of research, public health, or health care operations.
b. A HCC may use PHI to create a limited data set, or disclose PHI only to a business associate for such purpose, whether or not the limited data set is to be used by the HCC.
IV. Data Use Agreement
A HCC may use or disclose a limited data set only if the HCC obtains a data use agreement that meets the requirements of this section. A data use agreement between the HCC and the limited data set recipient must:
a. Establish the permitted uses and disclosures of such information by the recipient. The agreement may not authorize the recipient to use or further disclose the information in a manner that would violate the requirements of the Privacy regulations if done by the HCC;
b. Establish who is permitted to use or receive the limited data set;
c. Provide that the recipient will:
i. Not use or further disclose the information other than as permitted by the agreement or required by law;
ii. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the agreement;
iii. Report to the HCC any use or disclosure of the information not provided for in the agreement of which it becomes aware;
iv. Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions as the recipient; and
v. Not identify the information or contact the individuals.
A HCC is not in compliance if it knew of a pattern of activity of the recipient that constituted a material breach or violation of the data use agreement, unless the HCC took reasonable steps to cure the breach or end the violation and, if such steps were unsuccessful, discontinued disclosure of PHI to the recipient and reported the problem to the Secretary of DHHS. A HCC that is a limited data set recipient and violates a data use agreement will be in violation of the requirements of this policy.