PHI - Difference Between De-Identified and Limited Data Sets

The information below provides guidance on limited data sets vs. full de-identified data and data use agreements.

This overview assists authorized users in classifying and handling Fred Hutch information based on its level of sensitivity and value to Fred Hutch. Adherence to this standard will assist in complying with the Fred Hutch Information Security Policy.

De-Identified Data Sets and Limited Data Sets
Limited Data Sets and Data Use Agreements
Coded Data - OHRP VS HIPAA

De-Identified Data Sets and Limited Data Sets

DATA ELEMENT	DE-IDENTIFIED DATA SET	LIMITED DATA SET
Names	Remove/Code	Code or Remove
Address, city and other geographic information smaller than state. 3-digit zip code may be included in a de-identified data set for an area where more than 20,000 people live; use “000” if fewer than 20,000 people live there. (Approx. 20 -3 digit zips can not be used)	Remove	Can retain city, town, state or full zip code.
All elements of dates (except year); plus age and any date (including year) if age is over 89. Examples: date of birth, date of death, date of admission, date of discharge, date of service.	Remove/Code	True Dates Remain. For research using DOB, using just year recommended
Telephone, fax numbers; e-mail addresses, web URL addresses, IP addresses.	Remove	Remove
Social security number, medical record number, health plan beneficiary number, any account number, certificate or license number	Remove	MRN, Health plan number may be coded. All other removed.
Vehicle identifiers and serial numbers, including license plate numbers, Device identifiers and serial numbers, biometric identifiers, indefinable photography	Remove	Remove
Any other unique identifying number, characteristic or code.	Remove	May Include

	FULLY IDENTIFIED DATA	DE-IDENTIFIED DATA SET	LIMITED DATA SET
IRB* *See Coded Data below or Human Subject Research	Human Subject, IRB needs to approve HIPAA Authorization or HIPAA Waiver. Waiver requires accounting of disclosures.	Not Human Subject, may be used in any manner, not regulated under HIPAA.	IRB does not require HIPAA Authorization or Waiver. No Accounting of Disclosures
Data Use Agreement	May not be used alone.	Not required.	Limited data sets are only for purposes of research, public health, or health care operations. Data Still PHI; agreement has restrictions. No Accounting of Disclosures. IRB required? If the data are not readily identifiable, an IRB can determine Not Human Subject.

FULLY IDENTIFIED DATA

DE-IDENTIFIED DATA SET

LIMITED DATA SET

IRB*

*See Coded Data below or Human Subject Research

Human Subject, IRB needs to approve HIPAA Authorization or HIPAA Waiver. Waiver requires accounting of disclosures.

Not Human Subject, may be used in any manner, not regulated under HIPAA.

IRB does not require HIPAA Authorization or Waiver. No Accounting of Disclosures

Data Use Agreement

May not be used alone.

Not required.

Limited data sets are only for purposes of research, public health, or health care operations. Data Still PHI; agreement has restrictions. No Accounting of Disclosures. IRB required? If the data are not readily identifiable, an IRB can determine Not Human Subject.

Limited Data Sets and Data Use Agreements

Specific permitted uses and disclosures of the limited data set by the recipient must be consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
Identify who is permitted to use or receive the limited data set.
Stipulations that the recipient will:
- Not use or disclose the information other than permitted by the agreement or otherwise required by law.
- Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
- Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
- Not identify the information or contact the individuals.
Violation of a limited data set is deemed to have violated the Privacy Rule. If entity providing the limited data set knows of a pattern of activity or practice by the recipient that constitutes a material breach or violation of the data use agreement, the covered entity must take reasonable steps to correct the inappropriate activity or practice. If the steps are not successful, the covered entity must discontinue disclosure of PHI to the recipient and notify HHS.

Coded Data; OHRP (Human Subjects Protection) VS HIPAA

Coded Data - Common Rule

OHRP does not consider research involving only coded private information or specimens to involve human subjects if the following conditions are both met: (1) not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and (2) the investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because re-identification code is destroyed or held by an honest broker.

Coded Data - HIPAA

The Privacy Rule permits covered entities under the Rule to determine that health information is de-identified even if the health information has been assigned, and retains, a code or other means of record identification, provided that:

the code is not derived from or related to the information about the individual;
the code could not be translated to identify the individual; and
the covered entity under the Privacy Rule does not use or disclose the code for other purposes or disclose the mechanism for re-identification (see HHS guidance entitled, Institutional Review Boards and the HIPAA Privacy Rule, page 6, Q and A #3, at