Using a limited data set under HIPAA for research

A researcher needs to analyze how an Ebola patient’s geographic location impacts their prognosis. A hospital administrator wants to compare older patients’ recovery rates to the national average. Both of these studies face the same problem: The data they need is protected.

HIPAA requires that HIPAA-covered entities keep their patients’ protected health information (PHI) private. Legally, healthcare providers have to get permission from a patient before they use their information for research purposes. If they’re unable to get consent, the data must be de-identified before the study can be done.

This system can quickly hit some roadblocks. For instance, a large-scale study may need so many participants that it’s difficult to get consent from everyone. Or a study may rely on personal identifiers that usually have to be removed. 

These studies are vital for advancing healthcare and providing better treatment to patients. So how can researchers balance the needs of their studies with legal regulations? That’s where limited data sets come in.     

What is a limited data set?

A limited data set is a set of data that retains some identifying characteristics and can be used for research, public health reasons, or to improve a specific hospital’s or clinic’s level of care. What differentiates a limited data set from de-identified health information is the type and quantity of data included.

What can it include?

  • Geographic information: zip codes, states, or cities 
  • Dates related to a patient’s healthcare: admission to a hospital, surgery, beginning of treatment, or discharge from the hospital
  • Ages: in years, months, or days 

While these data sets do contain some types of PHI, they can’t include all 18 identifiers. Here’s a brief list of what limited data sets cannot include.

What needs to be removed?

  • Names
  • Biometric indicators, such as fingerprints or retinal scans
  • Full face photographs
  • Social Security numbers
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Street addresses
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • IP addresses
  • URLs

Although limited data sets may only contain certain personal identifiers, these identifiers mean that the data is still protected by HIPAA. Under federal law, there are precautions you need to take to keep your data sets secure. 

How to be compliant when using limited data sets 

Once you’ve decided who will conduct the research, you have to ensure that they will protect the data set you provide them. If you’re working with an outside business or a researcher who isn’t your employee, then you need to sign a data use agreement with them. This agreement should outline and confirm

  • What the contractor will use the data for 
  • Who the recipients of the data are
  • That the contractor will follow HIPAA guidelines for PHI and report breaches to the HIPAA-covered entity
  • That the contractor will not attempt to identify or contact any of the patients 
  • That any subcontractors dealing with the data also sign a data use agreement 

If you’re giving a contractor a premade limited data set, you don’t need to sign a business associate agreement (BAA). However, contracting a company to create a limited data set from your patient data does require a BAA.

Another option is to use the same company to create the data set and conduct the research. This solution means you have to sign both a BAA and a data use agreement with that company.   

After you’ve signed the data use agreement, monitor the project for legal violations. Warn the company if you spot any sign of improper PHI use. If they continue to handle PHI incorrectly, report the issue to the U.S. Department of Health & Human Services (HHS) and stop providing PHI to the company. 

Limited data sets may not include everything about a patient, but they do provide valuable information that researchers need to improve healthcare. And limited data sets give you the ability to perform more extensive research than de-identified health information does. 

Limited data sets give you more freedom 

Healthcare researchers strive to improve healthcare and, ultimately, patients’ lives. However, they can’t do this without data. That’s why limited data sets are vital for researchers. By using limited data sets, you’ll be able to conduct the studies you need to advance healthcare.
At JotForm, our online forms can help you collect the patient information you need for treatment and research. We offer online consent forms for disclosing data, data-collection forms, and encryption for storing that data securely. Contact us today to learn more.

Firm believer in personal data privacy in the age of information. Close follower of the new regulations concerning patient confidentiality & HIPAA. You can reach George through his contact form.

Send Comment:

JotForm Avatar

Comments:

Podo CommentBe the first to comment.