The Blog

Data Use Agreement For Limited Data Set

A limited set of data can only contain the following identifiers: a limited set of data is described as health information that excludes certain listed direct identifiers (see below) but may include the city; the State; postal code; the elements of the date; and other numbers, characteristics or codes that are not listed as direct identifiers. The direct identifiers listed in the restricted data set of the privacy policy apply to both information about the individual and information about the person`s relatives, employers, or household members. The following identifiers must be removed from health-related information if the data is to be considered a limited set of data: Hopkins has established a Data Use Agreement form for use by those who wish to transmit a „limited set“ of data to recipients. This model is available in form 9 of the IRB HIPC. If Johns Hopkins provides the limited data set, if significant changes are to be made to this Johns Hopkins template form, or if another party`s version of a data use agreement is to be used, the Johns Hopkins Office of Research Administration must verify and approve the terms of the agreement. See HIPAA Model Guideline AB.9.1b. For activities related to the preparation of research, the companies concerned may use or transmit PHI to a researcher without the authorization of a person, a waiver or modification of the authorization or an agreement for the use of the data. However, the covered enterprise must obtain assurance from a researcher that the use or disclosure is requested exclusively for the verification of PHI, to the extent necessary for the establishment of a research protocol or similar research purposes; (2) the IHP will not be removed from the covered business during the verification and (3) the IHP for which use or access is requested, for which research is necessary. The body concerned may authorise the researcher to make such statements in writing or orally. A limited data set under the HIPC is a set of identifiable health information that allows companies covered by the HIPC data protection rule to share with certain companies for research, public health activities and health operations without prior patient consent, if certain conditions are met. The publication of a „limited data set“ is not subject to HIPC monitoring/accounting requirements. It would appear that the marginal increase in privacy protection that such accounting would offer is offset by its expenses.

DHHS has taken the position that the protection of individuals` privacy with respect to PHI, disclosed in a „limited set of data“, can be duly protected by a signed data use agreement. The current data protection authorization is the authorization signed by a person that allows a covered entity to use or disclose the person`s PHI for the purposes and to the recipient or recipient, as indicated in the authorization. . . .