Data Use under HIPAA
The Privacy Rule does permit the use of PHI for research purposes with the appropriate measures in place. The IRB in consultation will affirm what type of dataset is being used, but researchers need to recognize the differences between a de-identified data set and a limited data set.
| Data element | De-identified data set | Limited data set |
|---|---|---|
| Names | Remove/code | Code or remove |
| Address, city and other geographic information smaller than state, 3-digit zip code may be included in a de-identified data set for an area where more than 20,000 people live; use "000" if fewer than 20,000 people live there. | Remove | Can retain city, town, state, or full zip code. |
| All elements of dates (except year); plus age and any date (including year) if age is over 89. Examples: date birth, date of death, date of admission, date of discharge, date of service. | Remove/code | True dates remain. For research using DOB, using just year is recommended. |
| Telephone, fax numbers, e-mail addresses, web URL addresses, IP addresses. | Remove | Remove |
| Social security number, MRN, Health plan beneficiary number, any account number, certificate or license number. | Remove | MRN, health plan number may be coded. All other removed. |
| Vehicle identifiers and serial numbers, including license plate numbers, device identifiers and serial numbers, biometric identifiers, indefinable photography. | Remove | Remove |
| Any other unique identifying number, characteristic or code. | Remove | May include |
Coded data: OHRP (Common Rule) vs HIPAA (Privacy Rule)
Coded data- Common Rule
OHRP does not consider research involving only coded private information or specimens to involve human subjects if the following conditions are both met: (1) not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and (2) the investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because re-identification code is destroyed or held by an honest broker.
Coded data- Privacy Rule
The Privacy Rule permits covered entities under the Rule to determine that health information is de-identified even if the health information has been assigned, and retains, a code or other means of record identification, provided that:
-
- the code is not derived from or related to the information about the individual;
- the code could not be translated to identify the individual; and
- the covered entity under the Privacy Rule does not use or disclose the code for other purposes or disclose the mechanism for re-identification (see HHS guidance entitled, Institutional Review Boards and the HIPAA Privacy Rule, page 6, Q and A #3)
Limited data sets and data use agreements
Research involving a limited data set AND leaving Prisma Health will require a Data Use Agreement. Data Use Agreements (DUA) are non-funded contracts which define the terms and conditions of non-public data that is subject to restricted use.
Data sets that are de-identified do not require a data use agreement, but if data is leaving Prisma Health will require a data sharing agreement. Additionally, other institutions may require a DUA just to cover their transmission of the data to another entity.
A DUA should not be used if a funding agreement (e.g. grant award, CTA, research agreement) is in place between Prisma Health and the other entity for the same project. The project’s funding agreement should address data sharing.
| Fully identified data set | De-identified data set | Limited data set | |
|---|---|---|---|
| IRB | Human Subject, IRB needs to approve HIPAA Authorization or HIPAA Waiver. Waiver requires accounting of disclosures. | Not Human Subject, may be used in any manner, not regulated under HIPAA. | IRB does not require HIPAA Authorization or Waiver. No Accounting of Disclosures |
| Data Use Agreeement | May not be used alone. | Not required. | Limited data sets are only for purposes of research, public health, or health care operations. Data Still PHI; agreement has restrictions. No Accounting of Disclosures. IRB required? If the data are not readily identifiable, an IRB can determine Not Human Subject. |
Reproduced with permission from Fred Hutchinson Cancer Research Center
Updated 3/10/2021