UTMB HANDBOOK OF OPERATING PROCEDURES

Section 6 Compliance Policies Subject 6.2 Privacy Related Policy 6.2.13 Use and Disclosure of PHI for Limited Data Sets

04/11/03 -Originated 10/08/07 -Reviewed w/changes -Reviewed w/o changes Compliance Office - Author

Use and Disclosure of PHI for Limited Data Sets

Definitions	Limited Data Set: A subset of protected health information (PHI) that excludes the direct identifiers listed below. All the direct identifiers listed below must be removed for the individual and relatives, employers, or household members of the individual. 1. Names; 2. Postal address information, other than town or city, state, and zip code; 3. Telephone numbers; 4. Fax numbers; 5. Electronic mail addresses; 6. Social security numbers; 7. Medical record numbers; 8. Health plan beneficiary numbers; 9. Account numbers; 10. Certificate/license numbers; 11. Vehicle identifiers and serial numbers, including license plate numbers; 12. Device identifiers and serial numbers; 13. Web Universal Resource Locators (URLs); 14. Internet Protocol (IP) address numbers; 15. Biometric identifiers, including finger and voice prints; and 16. Full face photographic images and any comparable images. Health Care Operations: Are activities related to UTMB’s functions as a health care provider, including general administrative and business functions necessary for UTMB to remain a viable health care provider. For a more detailed definition of Health Care Operations, see IHOP Policy 6.2.0, General Policy on Use and Disclosure of PHI. Public Health: An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from a public agency that is responsible for public health matters as part of its official mandate. Research: A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Activities which meet this definition constitute research for
Definitions, continued	purposes of this policy whether or not they are conducted or supported under a program that is considered research for other purposes. For example, some demonstration and service programs may include research activities.
Policy	UTMB, in an effort to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), maintains that patient information must be kept private and confidential. If UTMB enters into a data use agreement with the limited data set recipient, UTMB may use or disclose a limited data set that meets the definition above and that includes the requirements of this policy. Disclosures of a limited data set are exempt from IHOP Policy 6.2.28, Accounting of Disclosures of PHI UTMB may only use or disclose a limited data set for the purposes of research, public health, or health care operations. UTMB may use PHI to create a limited data set or UTMB may disclose PHI to a business associate in order to create a limited data set. Business associates may not disclose information in a limited data set without UTMB approval. Violation of this policy may result in disciplinary action up to and including termination for employees; a termination of employment relationship in the case of contractors or consultants; or suspension or expulsion in the case of a student. Additionally, individuals may be subject to loss of access privileges and civil and/or criminal prosecution.
Data Use Agreement	UTMB may use or disclose a limited data set only if it obtains a fully executed data use agreement. A data use agreement between UTMB and the limited data set recipient must: § Clearly state the permissible uses and disclosures of PHI within the limited data set as stated above. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements;

Data Use Agreement, continued	§ Establish who is permitted to use or receive the limited data set; and § Provide that the limited data set recipient will: o Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; o Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; o Report to UTMB any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; o Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; o Not attempt to identify or contact the individuals from the information contained in the limited data set.
Compliance	UTMB is not in compliance with this policy if UTMB knows of a pattern of activity or practice of the limited data set recipient that constituted a material breach or violation of the data use agreement, unless UTMB took reasonable steps to remedy the breach or end the violation. If UTMB was unable to remedy the breach or end the violation, UTMB must: § Discontinue disclosure of protected health information to the recipient; and § Report the problem to the Department of Health & Human Services Secretary. If UTMB is a limited data set recipient, UTMB must act in compliance with this policy.
References	45 C.F.R. §164.514(e)