Limited Data Sets

 

Table of Contents

Applicability

Research on coded private information, or on non-identifiable information, is not regulated under the Common Rule.  However, HIPAA Privacy Rule protections apply if a coded or non-identifiable data set contains Protected Health Information (PHI) in the form of a “Limited Data Set.” A Limited Data Set (LDS) excludes direct identifiers but may include geographic information other than street address; dates; and other numbers, characteristics, or codes not listed as direct identifiers. A table showing data elements permitted in de-identified data and limited data sets is available through the References section of UMHS Policy 01-04-032 on Limited Data Sets.

HIPAA Privacy Rule permits access to PHI in the form of a Limited Data Set (LDS) if the covered entity and the limited data set recipient enter into a data use agreement (DUA). Even if the researchers requesting a limited data are members of the covered entity's workforce, a written data use agreement meeting the Privacy Rule's requirements must be in place between the covered entity and the limited data set recipient. This means the project will need to be reviewed by the Privacy Board.

Required provisions in the DUA

In the DUA, the researchers receiving the LDS provide satisfactory assurances that they will use or disclose the PHI in the data set only for specified purposes.

  1. Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
  2. Identify who is permitted to use or receive the limited data set.
  3. Stipulations that the recipient will
    1. Not use or disclose the information other than permitted by the agreement or otherwise required by law.
    2. Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
    3. Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
    4. Not identify the information or contact the individuals.

UMHS Policy 01-04-032 on Limited Data Sets describes further UMHS implementation of these requirements.

Standard Data Use Agreement (aka Data Sharing Agreement) templates for UMHS data are available from the UMMS Data Office for Clinical and Translational Research and UMHS Compliance Office. When UM researchers receive Limited Data Set(s) from outside institutions, generally the other institution provides the DUA template. ORSP Data Sharing Resource Center, UMMS Data Office for Clinical and Translational Research, and UMHS Compliance Office are available to assist with DUAs. External DUAs (sending data to, or obtaining from, outside the University) should be processed through the Unfunded Agreement (UFA) form in eResearch Proposal Management (eRPM).

Process for application

To request review of a “Limited Data Set with Data Use Agreement” from Privacy Board, complete a new application in eResearch Regulatory Management (eRRM). Fill out system-required sections, including:

  • Question 1.8 (project summary): explain the purpose of the project, and why this requires access to PHI.
  • Section 01-1: “Activities Not Regulated…”;
  • Section 04-1: “Research Involving Coded Private Information”;
  • Section 04-2: Yes to “limited data set?”
  • Section 24: fill out a separate line item for each data source, including
    • Question 24.4: No to “publicly available?”
    • Question 24.6: Upload a copy of the DUA
  • Section 25-1: fill out, including
    • 25-1.3 “HIPAA authorization will not be obtained from any subjects”
    • 25-1.3.2: “Limited data set(s)”
  • Section 25-4: provide required assurances. 

Once completed and submitted, the application will be reviewed by IRBMED Staff for clarity and completeness, then assigned to the Privacy Board for determination.

Process Flowchart

limited-flow

Note: You may not begin any study-related activities until after you receive a Determination Letter.

 

 

 

 

 

  

  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Update Approved by IRBMED Chairs and Director: October 14, 2011

Website Updated: May 8, 2015