The information below provides guidance on limited data sets vs. full de-identified data and data use agreements.
This overview assists authorized users in classifying and handling Fred Hutch information based on its level of sensitivity and value to Fred Hutch. Adherence to this standard will assist in complying with the Fred Hutch Information Security Policy.
DATA ELEMENT | DE-IDENTIFIED DATA SET | LIMITED DATA SET |
---|---|---|
Names | Remove/Code | Code or Remove |
Address, city and other geographic information smaller than state. 3-digit zip code may be included in a de-identified data set for an area where more than 20,000 people live; use “000” if fewer than 20,000 people live there. (Approx. 20 -3 digit zips can not be used) | Remove | Can retain city, town, state or full zip code. |
All elements of dates (except year); plus age and any date (including year) if age is over 89. Examples: date of birth, date of death, date of admission, date of discharge, date of service. | Remove/Code | True Dates Remain. For research using DOB, using just year recommended |
Telephone, fax numbers; e-mail addresses, web URL addresses, IP addresses. | Remove | Remove |
Social security number, medical record number, health plan beneficiary number, any account number, certificate or license number | Remove | MRN, Health plan number may be coded. All other removed. |
Vehicle identifiers and serial numbers, including license plate numbers, Device identifiers and serial numbers, biometric identifiers, indefinable photography | Remove | Remove |
Any other unique identifying number, characteristic or code. | Remove | May Include |
FULLY IDENTIFIED DATA | DE-IDENTIFIED DATA SET | LIMITED DATA SET | |
---|---|---|---|
IRB* |
Human Subject, IRB needs to approve HIPAA Authorization or HIPAA Waiver. Waiver requires accounting of disclosures. | Not Human Subject, may be used in any manner, not regulated under HIPAA. | IRB does not require HIPAA Authorization or Waiver. No Accounting of Disclosures |
Data Use Agreement | May not be used alone. | Not required. | Limited data sets are only for purposes of research, public health, or health care operations. Data Still PHI; agreement has restrictions. No Accounting of Disclosures. IRB required? If the data are not readily identifiable, an IRB can determine Not Human Subject. |
OHRP does not consider research involving only coded private information or specimens to involve human subjects if the following conditions are both met: (1) not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and (2) the investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because re-identification code is destroyed or held by an honest broker.
The Privacy Rule permits covered entities under the Rule to determine that health information is de-identified even if the health information has been assigned, and retains, a code or other means of record identification, provided that: