Table of Contents
Research on coded private information, or on non-identifiable information, is not regulated under the Common Rule. However, HIPAA Privacy Rule protections apply if a coded or non-identifiable data set contains Protected Health Information (PHI) in the form of a “Limited Data Set.” A Limited Data Set (LDS) excludes direct identifiers but may include geographic information other than street address; dates; and other numbers, characteristics, or codes not listed as direct identifiers. A table showing data elements permitted in de-identified data and limited data sets is available through the References section of UMHS Policy 01-04-032 on Limited Data Sets.
HIPAA Privacy Rule permits access to PHI in the form of a Limited Data Set (LDS) if the covered entity and the limited data set recipient enter into a data use agreement (DUA). Even if the researchers requesting a limited data are members of the covered entity's workforce, a written data use agreement meeting the Privacy Rule's requirements must be in place between the covered entity and the limited data set recipient. This means the project will need to be reviewed by the Privacy Board.
Required provisions in the DUA
In the DUA, the researchers receiving the LDS provide satisfactory assurances that they will use or disclose the PHI in the data set only for specified purposes.
UMHS Policy 01-04-032 on Limited Data Sets describes further UMHS implementation of these requirements.
Standard Data Use Agreement (aka Data Sharing Agreement) templates for UMHS data are available from the UMMS Data Office for Clinical and Translational Research and UMHS Compliance Office. When UM researchers receive Limited Data Set(s) from outside institutions, generally the other institution provides the DUA template. ORSP Data Sharing Resource Center, UMMS Data Office for Clinical and Translational Research, and UMHS Compliance Office are available to assist with DUAs. External DUAs (sending data to, or obtaining from, outside the University) should be processed through the Unfunded Agreement (UFA) form in eResearch Proposal Management (eRPM).
Process for application
To request review of a “Limited Data Set with Data Use Agreement” from Privacy Board, complete a new application in eResearch Regulatory Management (eRRM). Fill out system-required sections, including:
Once completed and submitted, the application will be reviewed by IRBMED Staff for clarity and completeness, then assigned to the Privacy Board for determination.
Note: You may not begin any study-related activities until after you receive a Determination Letter.
Update Approved by IRBMED Chairs and Director: October 14, 2011
Website Updated: May 8, 2015