- Identifiable protected health information – to which all of the Rule applies
- De-identified protected health information – to which the Rule does not apply
- Limited data sets – a middle option, to which limited parts of the Rule apply
The main difference here is that, while strict rules apply to the confidentiality of Identifiable protected health information, the HIPAA Privacy Rule [PDF] allows for covered entities and associated businesses (like institutes that research public health or health care providers) to release information that is deemed a limited data set without obtaining authorization from a patient or the need for a data use agreement if certain conditions are met.
We will get into the details of these conditions in a bit.
De-identified personal health information versus limited data set
Let’s have a look at the differences between de-identified personal health information and limited data sets:
De-identified Personal Health Information
De-identified personal health information is data or a medical record that has been stripped of all “direct identifiers.” These are any bits of information that can be used to trace the medical record back to the patient.
There are two ways of achieving de-identified personal health information that abides by the HIPAA Privacy Rule:
I. Expert Determination
A covered entity can convert identifiable personal health information into de-identified personal health information with the help of an authorized expert who:
- Determines there is a little-to-no risk that the data which has been converted using their expertise can be used by anyone – whether individually or in combination with other bits of information – without it being traced back to subject patients
- When once done, documents the method(s) used and the results of the conversion to justify their final result, i.e. the de-identified personal health information
II. Safe Harbor
In this conversion method, the following identifiers of patients (or any of their relatives, employers, or household members) are removed from the identifiable personal health information:
- Traceable addresses (city, state, and ZIP code, etc.) – all geographic subdivisions smaller than a state, including street address, city, ZIP code, county, precinct, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the Bureau of the Census:
– Geographic units formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people.– The initial three digits of ZIP codes for all such geographic units containing 20,000 or fewer people is changed to “000”
- All elements of dates (except year) that are directly related to an individual, including their birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Vehicle identifiers and serial numbers including license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Web Universal Resource Locators (URLs)
- Social security numbers
- Internet Protocol (IP) addresses
- Medical record identifiers and serial numbers
- Biometric identifiers, including finger and voiceprints
- Health plan numbers, health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Certificate or license numbers
- Any other unique identifying number, characteristic, or code – exceptions being unique codes assigned by an investigator to code the data
A covered entity can rest assured that they have met the set standards of creating de-identified protected health information if they apply either one of these methods. This, then, means the information is no longer considered to be protected health information by the Privacy Rule and can be disclosed at will and with no data use agreements required.
LIMITED DATA SET
In contrast to de-identified protected health information – which, again, is not considered personal health information under the Privacy Rule – a limited data set under HIPAA is considered identifiable protected information and can only be shared with entities that have signed data use agreements with the covered entity.
The definition of a limited data set is:
“A dataset of personal health information that has not been fully de-identified according to the HIPAA Privacy Rule regulations. It excludes 15 of the 18 personal identifiers listed for de-identification above.”
Limited data sets are allowed to retain:
- Dates like date of birth, admission or discharge
- Ages in years, months, days, or hours
- Some geographic information (city, state, and zip code but not street address) and other unique codes and characteristics that are not expressly excluded
Most Privacy Rule requirements do not apply to limited data sets that are used internally or even disclosed to third parties.
But, that doesn’t mean there aren’t any restrictions:
- Limited data sets can be shared strictly to research public health or health care operations
- Also, two requirements apply:
- The covered entity may release only the minimum necessary information which means the intended recipient must indicate exactly what is needed in a limited data set
- The recipient must consent to a data use agreement – even if the limited data set is being used internally
Data use agreement for limited data sets
We have just said that a HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity; but why?
Well, it is because the data use agreement allows the covered entities like health care operations to obtain satisfactory assurances that the shared personal health information – of which limited data sets are a part of – will:
- Only be used for the purposes specified
- That it will not be disclosed by the entity with which it is shared
- That the requirements of the HIPAA Privacy Rule will be complied with
The data use agreement should outline the following about the limited data sets:
- Permitted uses and disclosures
- Authorized recipients and users
- An agreement that it will not be used to contact subject patients or even attempt to identify them
- Require safeguards – like HIPAA compliant cloud storage – to be implemented to ensure its confidentiality and prevent prohibited uses and disclosures
- That the discovery of any improper use or disclosure of the limited data sets must be reported back to the covered entity
- State that any subsequent business associates that are required to access or use the limited data set also enter into a data use agreement and agree to comply with its requirements
In all cases, the HIPAA minimum necessary standard applies, and information in the limited data set must be limited to only the information necessary to perform the purpose for which it is disclosed.
And so, if a covered entity or business associate that is the recipient of a limited data set violates the data use agreement with the disclosing covered entity, the recipient covered entity is deemed to have violated the Privacy Rule.
Likewise, if the health care operations disclosing protected health information or limited data sets are aware of any activity by the recipients that violate a data use agreement, the disclosing health care operations must take the steps to correct the inappropriate activity.
If the steps prove ineffective, the U.S. Department of Health & Human Services (HHS) must be notified about the violation.
How to protect limited data sets
One of the best ways of making sure that a limited data set is kept safe and secure from prying eyes is to ensure that it is stored in a secure cloud storage platform. What is even more amazing is that nowadays there are HIPAA compliant database design platforms that are easy to use. In fact, anyone who has a good idea of the structure of incoming data – like a limited data set being imported from a covered entity – can create reliable and secure cloud databases to store, use or share it with entities that might need it to research public health.
It doesn’t matter if you are a covered entity or an associated business; you can contact us to find out how you too can create such secure and cost-effective cloud storage solutions for your protected health information and HIPAA limited data sets.