4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

Transcription

1 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Limited Data Sets and Data Use Agreements POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title: Limited Data Sets and Data Use Agreements Responsible Executive (RE): General Counsel Sponsoring Organization (SO): Office of General Counsel Dates: Effective Date: Revised: Annual Review: I. POLICY STATEMENT In accordance with 45 CFR , ISU adopts and implements this policy in order to: A. Provide guidance on how to create a limited data set. B. Outline the process for reviewing and responding to requests for limited data sets. C. Define the requirements of a Data Use Agreement for use and disclosure of a limited data set. II. AUTHORITY AND RESPONSIBILITIES ISU is a hybrid entity in accordance with ISU s HIPPA Privacy Policy Only the health care component (i.e., the covered functions) of ISU must comply with this policy. All references in this policy to ISU shall be construed to refer only to the health care component of ISU. III. DEFINITIONS See HIPAA Privacy Policy IV. PROCEDURES TO IMPLEMENT A. Creating Limited Data Sets: 1. Limited Data Set A limited data set is PHI that excludes the following direct identifiers of the patient, or of the patient s relatives, employers or household members: a. Names b. Postal address information, other than town or city, state, and zip code c. Telephone numbers HIPAA Privacy Limited Data Sets and Data Use Agreements Page 1 of 8

2 d. Fax Numbers e. Electronic mail addresses f. Social Security numbers g. Medical record numbers (including prescription and clinical trials numbers) h. Health plan beneficiary numbers i. Account numbers j. Certificate/license numbers k. Vehicle identifiers and serial numbers, including license plate numbers l. Device identifiers and serial numbers m. Web Universal Resource Locators (URLs) n. Internet Protocol (IP) address numbers o. Biometric identifiers, including finger and voice prints p. Full face photographic images and any comparable images 2. The covered entity may use PHI to create a Limited Data Set, or may disclose PHI to a business associate, pursuant to an executed business associate agreement, so that the business associate can create a Limited Data Set. 3. Limited Data Sets may be used or disclosed only: a. For the purposes of research, public health, and/or health care operations. b. To or by a business associate for purposes of creating a Limited Data Set for the covered entity, another covered entity, or the business associate. 4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set. 5. The covered entity will define approved methods of creating Limited Data Sets. a. The Federal Information Processing Standard (FIPS) 198 Keyed-Hash Message Authentication Code (HMAC) does not qualify as an appropriate method for deidentifying information under Federal privacy requirements; however, the HMAC methodology may be used to create a Limited Data Set. 6. If the covered entity uses specialized software to de-identify PHI or re-identify information, access by workforce members to the software will be governed by the appropriate covered entity policies and procedures on information security and privacy, including, but not limited to: a. Access controls b. Password management c. Media control d. Physical safeguards e. Confidentiality and privacy of PHI B. Processing Requests for Limited Data Sets: HIPAA Privacy Limited Data Sets and Data Use Agreements Page 2 of 8

3 1. Requests for Limited Data Sets must be documented (using Attachment A Limited Data Set Request and Data Use Agreement) and submitted to the Privacy Officer or his/her designee: 2. A request for a Limited Data Set must include the following: a. Requestor s name, address, telephone numbers, title, organization or department; b. Date of request; c. Purpose of the request (e.g., research, public health or health care operations), including the intended uses, any re-disclosures, and who will use or have access to the Limited Data Set; d. Names of all recipients of the Limited Data Set; e. Record parameters or selection criteria time period included, minimum number of patient records, type of patient records (such as by diagnosis, procedure, drug use, or other criteria); and f. Date the Limited Data Set is needed. 3. If a Limited Data Set Request and Data Use Agreement that relates to a research study is sent directly to the covered entity s IRB or Privacy Board, the request form should be forwarded to the Privacy Officer or his/her designee before any review is conducted. 4. The Limited Data Set Request and Data Use Agreement must be logged and assigned a unique tracking number. This will assist the Privacy Officer or his/her designee to monitor and document completion of the review and authorization process prior to production or release of the Limited Data Set. 5. Payment of the application processing fee should be submitted with the Limited Data Set Request and Data Use Agreement. The Privacy Officer, or his/her designee, will transfer the application fee payment to the appropriate workforce member. See Fee Schedule section below for further information. 6. The minimum necessary standard applies to requests for Limited Data Set information. a. For example, a patient s date of birth should only be disclosed where a requestor and the covered entity agree that it is needed for the purpose of the request. b. In very limited circumstances, if the requestor provides an adequate description of the purposes of the Limited Data Set and specifies the particular data elements required, the covered entity may rely on a requested disclosure as the minimum necessary. 7. Third party recipients of a Limited Data Set must sign a Data Use Agreement outlining the approved use of the Limited Data Set. The covered entity must obtain satisfactory assurance, in the form of a Data Use Agreement that meets the requirements of the HIPAA Privacy Rule, that the recipient will only use or disclose the Limited Data Set for the limited purposes set forth in the Data Use Agreement. a. The Data Use Agreement between the covered entity and the recipient of the Limited Data Set must: HIPAA Privacy Limited Data Sets and Data Use Agreements Page 3 of 8

4 i. Establish the permitted uses and disclosures of such information by the Limited Data Set recipient; ii. Not authorize the Limited Data Set recipient to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule; iii. Establish who is permitted to use or receive the Limited Data Set; and iv. Provide that the Limited Data Set recipient will; 01. Not use or further disclose the information other than as permitted by the Data Use Agreement or as otherwise required by law; 02. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the Data Use Agreement; 03. Report to the covered entity s Privacy Officer any use or disclosure of the information not allowed by its Data Use Agreement of which it becomes aware; 04. Ensure that any agents, including a subcontractor to whom it provides the Limited Data Set, agree to the same restrictions and conditions that apply to the Limited Data Set recipient with respect to such information; and 05. Not identify the information or contact any of the patients, or the patient s family members, employers, or household members, whose PHI is included in the Limited Data Set. 8. Request for Limited Data Sets may be denied if: a. The covered entity cannot create the Limited Data Set; b. The recipient refuses to sign the Data Use Agreement; c. The recipient refuses to compensate the covered entity for generating the Limited Data Set; or d. Creating the Limited Data Set is an imposition to the operations of the covered entity. 9. The Limited Data Set Request and Data Use Agreement form must be reviewed, approved or denied by the Privacy Officer or his/her designee. The Privacy Officer should be notified of the decision to accept or deny the request for the Limited Data Set. a. The Limited Data Set Request and Data Use Agreement form is used to document the decision and a copy is provided to the requestor informing him or her of the decision. b. The Limited Data Set log, maintained by the Privacy Officer, should reflect the decision and confirm that written communication of the decision was sent to the requestor. 10. In the event the request is approved, the requestor will be asked to confirm acceptance of and submit payment for the production costs prior to actual creation of the Limited Data Set. a. If the approved Limited Data Set request is for PHI that will be used for the purpose of conducting research, the request must be routed to the IRB or Privacy Board for further consideration and approval of a waiver or alteration of authorization prior to communicating with the requestor. See HIPAA Privacy Policy Use and Disclosure of PHI for Research for further guidance HIPAA Privacy Limited Data Sets and Data Use Agreements Page 4 of 8

5 b. For tracking and monitoring purposes, the IRB or Privacy Board will notify the Privacy Officer in writing of a denial, or the waiver of authorization for approved research requests for Limited Data Sets. The Privacy Officer will contact the requestor of the Board s decision in writing. 11. Approved requests for creation of Limited Data Sets will be routed to personnel designated by the Privacy Officer or the business associate responsible for creating the Limited Data Set. 12. The Privacy Officer, or his/her designee, should be contacted at the time of release to establish and document closure of the process in the Limited Data Set log. C. Fee Schedule: 1. The requestor of a Limited Data Set may be asked to compensate the covered entity for resource expenditures related to the request. Note: The covered entity must determine if an application fee will be established for processing requests for Limited Data Sets. The fee should provide reasonable cost recovery of the personnel time required for reviewing the request and determining the estimate of costs to produce the requested Limited Data Set. It is recommended that the application fee be collected at the time the request is submitted to avoid after-the-fact billing or collection efforts. Consideration of fee structures must address implications by research studies that are federally-funded. 2. The covered entity may establish a fee schedule to compensate for the use of personnel, time, software, hardware, and supplies for: a. Reviewing requests for Limited Data Sets (application fee); b. Generating the Limited Data Set; and c. Other specified activities related to the production and delivery of the Limited Data Set. In the event the initial review results in an approval to create the Limited Data Set, a determination of the cost to produce the data set should be made and communicated to the requestor. D. Limited Data Set Violations: 1. The covered entity is not in compliance with the HIPAA Privacy Rule if it knows of a pattern of activity or practice by the Limited Data Set recipient that constitutes a material breach or violation of the Data Use Agreement, unless the covered entity takes reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful: a. Discontinues disclosure of PHI to the recipient; and b. Reports the problem to the Secretary of the Department of Health and Human Services (DHHS) HIPAA Privacy Limited Data Sets and Data Use Agreements Page 5 of 8

6 2. A covered entity that is a Limited Data Set recipient and violates a Data Use Agreement is in violation of the HIPAA Privacy Rule. V. REFERENCES HIPAA Privacy Policies 10020, HIPAA Regulations, 45 CFR , VI. ATTACHMENTS Attachment A - Limited Data Set Request and Data Use Agreement PRESIDENTIAL CERTIFICATION Approved by Arthur C. Vailas President, Idaho State University Date: OGC use only: Received by OGC on by (initial). Published to ISUPP on by (initial) HIPAA Privacy Limited Data Sets and Data Use Agreements Page 6 of 8

7 Attachment A Limited Data Set Request and Data Use Agreement REQUESTOR/RECIPIENT INFORMATION A. I/we are the requestor(s) and recipient(s) of the Limited Data Set identified in this document and agree to provisions of this Data Use Agreement (If necessary, use a separate page to identify all names of individuals or organizations requesting or receiving the Limited Data Set information, and attach to this document): 1. Name: Title: Organization: Address: Telephone: Fax: Signature: Date: 2. Name: Title: Organization: Address: Telephone: Fax: Signature: Date: HIPAA Privacy Limited Data Sets and Data Use Agreements Page 7 of 8

8 FOR ISU USE ONLY Review decision. Check one: 1. Request Denied 2. Request Approved 3. Request Approved with the following modification: Fees Due, if applicable: 1. Amount Due: $ 2. Date Fees Collected: Signature: Date: Title: Department: HIPAA Privacy Limited Data Sets and Data Use Agreements Page 8 of 8