Part 2, Chapter 7: Manual Exhibit 2-7-J
Policy and Procedure for Creating a Limited Data Set
- PURPOSE. To publish the Indian Health Service (IHS) policy and procedure for creating a limited data set for the use or disclosure of protected health information (PHI) only for the purposes of research, public health, or health care operations.
- AUTHORITY. 45 Code of Federal Regulations (CFR) 164.514(e)
- POLICY. For purposes of research, public health, or health care operations, the IHS may disclose information that is not fully de-identified if it creates a limited data set that complies with the terms of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 CFR 164.514(e). Any use or disclosure by the IHS must be made pursuant to a data use agreement with the recipient of the limited data set. All use or disclosures must be made in accordance with the Manual Exhibit No. 2-7-K, “Policy and Procedure for Limiting the Use or Disclosure of PHI to the Minimum Necessary.”
- Health Care Operations. Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:
- Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
- Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;
- Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
- Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
- Business management and general administrative activities of the entity, including, but not limited to:
- management activities relating to implementation of and compliance with the requirements of this subchapter;
- customer service, including the provision of data analyses for policyholders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policyholder, plan sponsor, or customer;
- resolution of internal grievances;
- the sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
- consistent with the applicable requirements of 45 CFR § 164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.
- Limited Data Set. A limited data set is PHI that excludes specified identifiers such as, the patient's name, provider name, chart number, social security number, etc.), but that can still potentially be linked to a particular patient because it contains dates (including birth date, admission date, discharge date, and date of death) and/or information about the patient's city, state, or nine-digit zip code.
- Public Health Activities. Public health activities are generally authorized by law through a public health authority or other appropriate authority for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions and to include receiving reports of child abuse or neglect.
- Public Health Authority. Public health authority means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority that is responsible for public health matters as part of its official mandate.
- Protected Health Information. Protected health information means individually identifiable health information:
- Except as provided in paragraph (2), of this definition, that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
- Protected health information excludes individually identifiable health information in:
- Education records covered by the Family Educational Right and Privacy Act, as amended, 20 United States Code (U.S.C.) 1232g;
- Records described at 20 U.S.C. 1232g (a)(4)(B)(iv); and
- Employment records held by a covered entity in its role as an employer.
- Research. Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
The following procedures shall be used to create a limited data set, which may be created only for the purposes of research, public health, or health care operations.
- Information Not Permitted in a Limited Data Set. A limited data set is composed of PHI that excludes the following direct identifiers of the patient or relatives, employers, or household members of the patient:
- Postal Address (may retain city, State, and nine-digit zip code)
- Telephone numbers
- FAX numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and/or any comparable images
- Information Permitted in a Limited Data Set. A limited data set may contain:
- Dates of admission and discharge, as well as dates of birth and death
- Nine-digit zip codes, city, and state information.
- Disclosure. In order to create a limited data set, the IHS may use or disclose PHI pursuant to a data use agreement with a business associate for such purpose, whether or not the limited data set is to be used by the IHS.
- Agreement. A limited data set recipient must agree, in writing, to use or disclose the information only for the purposes of research, public health, or health care operations. A written data use agreement (See Appendix 1) between the IHS and the limited data set recipient must also:
- Establish the permitted uses and disclosures of the information.
- Prevent and not authorize the limited data set recipient to use or further disclose the information in any manner that IHS could not use or disclose.
- Establish who is permitted to use or disclose the limited data set.
- Provide that the limited data set recipient will:
- Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law.
- Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement.
- Report to the IHS (individual to be named in the agreement) any improper use or disclosure of the information in writing not provided for by its data use agreement of which it becomes aware.
- Ensure that any agents, including a subcontractor, to whom written requests provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information.
- Not identify the information or contact the patients.
- Compliance. If the IHS becomes aware of a pattern of activity or practice of the recipient of the limited data set that constitutes a material breach or violation of the data use agreement, the IHS must take reasonable steps to cure the breach or end the violation, as applicable. If the steps are unsuccessful, the IHS must:
- Discontinue use and disclosure of PHI to the recipient.
- Report the problem to the Secretary, Department of Health and Human Services.
- The IHS as Recipient of Limited Data Set. The IHS must comply with the terms of any limited data set agreement under which it receives information.
- Questions. Specific questions regarding the implementation of this policy should be directed to the Area Statistician and/or the Area Institutional Review Board (IRB) or Area Privacy Act/ HIPAA Privacy Advocate.
Manual Exhibit 2-7-J
DATA USE AGREEMENT 45 CFR 164.514(e)
This Data Use Agreement (“Agreement”) effective the _______ day of _______, 20__ ("Effective Date”) by and between Indian Health Service (IHS) (collectively "Covered Entity”) and _______________________________, the Limited Data Set recipient (“Recipient”).
The covered Entity is willing to provide the Recipient with a Limited Data Set of Protected Health Information (PHI) as defined by 45 Code of Federal Regulations (CFR) 164.514 (e) (2) for public health, health care operations or research purpose; and
The Recipient warrants that it shall use or disclose the Limited Data Set exclusively for the purposes set forth herein:
- Permitted Users. Recipient agrees to allow access to the Limited Data Set only to the following individuals and classes of individuals (Name the individuals):
- Permitted Uses. The Recipient agrees to use and allow access to the Limited Data Set solely as described in the research protocol attached as Exhibit A and entitled: (Attach the research protocol and title of the proposed research)
- Other Use or Disclosure. Recipient agrees that Recipient will not disclose, or allow access to the Limited Data Set to anyone other than permitted Users except as required by law.
- Safeguards. The Recipient agrees to and shall ensure that all Permitted users use appropriate safeguards to prevent use, access to, or disclosure of the Limited Data Set other than as provided by this Agreement. Recipient shall protect the confidentiality of the Limited Data Set with the same level of care it used to protect its own confidential information.
- Reporting. The Recipient agrees to report in writing to the Institutional Review Board (IRB) of the Covered Entity any unauthorized use or disclosure of the Limited Data Set that it becomes aware of within five (5) business days of its discovery.
- Agents and Subcontractors. The Recipient agrees to ensure that its agents and subcontractors to whom it provides the Limited Data Set Agreement in writing to adhere to the same restrictions and conditions contained herein regarding its use and disclosure. Recipient will notify Covered Entity when Limited Data Set is made available to agents and subcontractors.
- Contact/Identification. The Recipient agrees to and shall ensure that all Permitted Users shall agree to not identify the information in the Limited Data Set or contact any individual who is a subject of the Limited Data Set or his or her relatives, employers, or household members.
- Publication. Recipient shall have the right to publish, present, or use Limited Data Set for his or her own instruction, research or publication. Provided however, all identifiers as outlined in 45 CFR 164.514 (b)(2)(i) are removed, and
Check all that apply:
______ Recipient is not intending to publish.
______Recipient is intending to publish. Any proposed publication or presentation shall be provided to the Covered Entity for review at least sixty (60) days prior to the submission. Any publication of any materials by person or entity affiliated in any manner to any training and/or clinical experiences obtained by virtue of this Agreement is strictly prohibited except by prior approval by the IHS. In the event approval is obtained, published materials shall clearly state that the opinions or assertions contained therein are those of the author and do not reflect any official or unofficial view or opinion of the IHS. Additionally, no such materials shall infringe upon, violate, or otherwise compromise patient’s rights to privacy under the Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA) Privacy or any applicable Federal or State statute or regulation.
- Publicity. Neither party will use the name of the other party in any publicity, advertising, or new release without the prior written approval of the authorized representative of the other party.
- Indemnification. The Recipient shall indemnify, hold harmless and defend the Covered Entity from and against any and all claims, losses, liabilities, costs and other expenses resulting from or relating to the acts or omissions of the Recipient in connection with the PHI provided to the Recipient under this Agreement.
- No Guarantees or Warranties. Covered Entity in no way guarantees Limited Data Set pursuant to this Agreement and makes no warranties, express or implied, regarding the quality of any product produced under this Agreement. Recipient agrees to indemnify and hold harmless Covered Entity against any claims arising out of Recipient’s commercial sale or distribution of products or processed developed under this Agreement, or its reliance upon the Limited Data Set provided.
- No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended or shall be deemed to confer upon any individual or entity other than the Covered Entity and the Recipient, any rights, obligations, remedies or liabilities. Neither party shall have the right to assign or transfer their rights to any third party under this Agreement.
- Term. This Agreement shall become effective on the Effective Date of the Agreement and shall continue in effect for a period of five years or until all obligations of the Parties have been met. Upon completion of the Agreement, the limited Data Set shall be returned to the Covered Entity. The terms and conditions of this Agreement shall survive the expiration or termination of the Agreement.
- Termination. Either party may terminate this Agreement upon thirty (30) days notice to the other. Either party may terminate this Agreement immediately in the event that the other party is in material breech of its terms. Upon termination of this agreement, the Limited Data Set shall be returned to the Covered Entity.
- Law. The parties agree that the laws of the United States shall apply to any problem or dispute arising out of this Agreement.
- Entirety of Agreement. It is expressly agreed that this written agreement represents the entire understanding between the parties and supersedes any prior agreements or understanding with respect to the subject matter herein. Any changes or modifications to this Agreement must be in writing and be signed by both parties.
AGREED AND ACCEPTED:
|By Authorized Representative of Recipient:
||By Covered Entity’s Authorized Representatives:
Indian Health Service
|Read and Understood by Recipient’s Investigator:
||Read and Understood by Covered Entity’s Investigator:
Back To Top