Limited Data Set and Data Use Agreement Policy

When appropriate and feasible, a Limited Data Set shall be used, disclosed, or requested by Workforce Members of the Columbia University Healthcare Component (CUHC) rather than a completely identifiable data set of Protected Health Information (PHI), consistent with University and regulatory requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Reason(s) for the Policy

CUHC is committed to protecting patient privacy as mandated by applicable city, state, and federal laws and regulations and must comply with legal obligations, including HIPAA, CUHC policies, and Minimum Necessary requirements.

Primary Guidance To Which This Policy Responds

45 CFR §§ 164.504(e)(3)(iv), 164.514

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.

Exclusions and Special Situations

Refer to the Institutional Review Board Policy on the Privacy Rule and the Use of Health Information in Research for additional guidance on the use of a limited data set for research purposes.

HIPAA defines a limited data set as a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met, including a signed Data Use Agreement

Limited Data Set

Limited Data Set is health information that excludes the following identifiers regarding an individual and the individual's relatives, employers, or household members:

  • Names (including initials);
  • Postal address information, other than town or city, state, and ZIP Code;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social Security numbers (including partial SSNs);
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web universal resource locators (URLs);
  • Internet protocol (IP) address numbers;
  • Biometric identifiers, including fingerprints and voiceprints; and/or
  • Full-face photographic images and any comparable images

A Limited Data Set can include: the town, city, or state of the individual, their gender, and dates relating to the individual.  

 
Permitted Uses and Disclosures

CUHC may use or disclose a Limited Data Set (LDS) only for a permissible Use or Disclosure of PHI including for purposes of research, public health activities or CUHC’s health care operations, in accordance with applicable CUHC policies. A Workforce Member’s Use, or Disclosure of a LDS shall be deemed to satisfy the Minimum Necessary requirement (see CUHC Minimum Necessary Policy). All requests for Use or Disclosure of a LDS shall be approved by the Chief Privacy Officer, the Institutional Review Board (IRB) or Sponsored Projects Administration (SPA). The Chief Privacy Officer, the IRB or SPA shall ensure that the health information qualifies as a LDS and the recipient of the LDS has, where required by applicable law, entered into an appropriate Data Use Agreement with CUHC.

 

Request for a Limited Data Set with Protected Health Information (PHI) from the Electronic Health Record
  • The Tripartite Request Assessment Committee (TRAC) provides governance and oversight for Use or Disclosure of data for research, operations, quality improvement or other business purposes from the shared electronic health record.
  • The Unified Intake Form for the data request must be submitted for review and approval via Service Now.
  • The Unified Intake Form should include documentation of IRB approval or business justification for use of the Limited Data Set in addition to the Data Use Agreement
  • In certain circumstances The NewYork Presbyterian Hospital may be required to approve an agreement associated with the Use or Disclosure of a Limited Data Set of PHI. These include:

When the research subject or patient has not authorized the disclosure of a LDS that includes hospital patient information.

 

Disclosure of a Limited Data Set to a Third-Party Contractor for Non-Research Purposes
  • A Limited Data Set may be disclosed to a third-party contractor for public health or to perform health care operations for or on behalf of CUHC.
  • CUHC may disclose a Limited Data Set to a third-party contractor only if they have signed an approved Data Use Agreement with CUHC.
  • Only an Authorized Official of Columbia University may sign a Data Use Agreement.  Any question regarding whether a Data Use Agreement is required shall be directed to the Chief Privacy Officer or Sponsored Projects Administration.
  • The Chief Privacy Officer is responsible for reviewing non-research related Data Use Agreements. The Chief Privacy Officer shall ensure that all Data Use Agreements used or received by CUHC comply with HIPAA.
  • If a third-party contractor forwards its own version of a Data Use Agreement to CUHC, the agreement shall be forwarded to the Chief Privacy Officer, in consultation with the Office of General Counsel, as necessary for review and approval.
  • In addition to the requestor, a copy of each signed non-research related Data Use Agreement shall be maintained by the Privacy Office.
 
Disclosure of a Limited Data Set for Research Purposes
  1. A Data Use Agreement for Disclosure of a Limited Data Set for Research Purposes or another Data Use Agreement must be submitted with the IRB in Rascal for review when:
    • Columbia is collaborating in the research,
    • the LDS originates from the CUHC,
    • a waiver of authorization has not been granted, and
    • the subject did not provide authorization for the proposed use.
  2.  Sponsored Projects Administration (SPA) is responsible for review and signature of Data Use Agreements, including a Limited Data Set on behalf of Columbia.  To request a DUA submit the MTA/DUA Intake Questionnaire (qualtrics.com) to SPA.  
  3. A copy of the fully executed Data Use Agreement for Disclosure of a Limited Data Set for Research Purposes must be attached to the approved IRB protocol before Use of Disclosure of data for a research purpose.  In addition to the requestor, a copy of the signed research Data Use Agreement shall be maintained by Sponsored Projects Administration.  
  4. Note that when it is proposed that a LDS will be Used within the CUHC, it is the practice of the IRB to grant a waiver of HIPAA authorization if the waiver criteria are met, rather than requiring the use of a HIPAA Data Use Agreement. See the IRB Policy on the Privacy Rule and the Use of Health Information in Research.
 
Creation of a Limited Data Set

CUHC may hire a third-party to create a LDS. To do so, CUHC shall enter into a Business Associate Agreement with the third party. See Business Associate Agreement Policy

 

Unauthorized Use or Disclosure by recipient of Limited Data Set

Any pattern of activity or practice of a recipient of a LDS that appears to be inconsistent with its Data Use Agreement shall be promptly and without delay reported to the Chief Privacy Officer or the Office of the General Counsel. The Chief Privacy Officer shall investigate the alleged activity or practice. If necessary, the Chief Privacy Officer shall require the recipient to correct the activity or practice. If unsuccessful, CUHC shall discontinue disclosure of information to the recipient and the Chief Privacy Officer shall, if required by law, report the wrongful pattern of activity or practice to the Secretary of HHS and/or relevant state or local agencies.

 

CUHC as the recipient of a Limited Data Set

When CUHC is the recipient of a LDS from another Covered Entity, CUHC shall use or disclose information contained within the LDS only as permitted by the applicable Data Use Agreement or as required or permitted by law.

 

Requirements of a Data Use Agreement

The data use agreement, which must be accepted prior to the limited data set being disclosed, should outline the following:

 

  • Allowable uses and disclosures
  • Approved recipients and users of the data
  • An agreement that the data will not be used to contact individuals or re-identify them.
  • Require safeguards to be implemented to ensure the confidentiality of data and prevent impermissible uses and disclosures.
  • State the discovery of impermissible uses and disclosures must be reported back to the covered entity.
  • State that any subcontractors who are required to access or use the data also enter into a data use agreement and agree to comply with its requirements.

 

Definitions

 

Business Associate is a person or entity that performs certain functions or activities that involve the creation, receipt, maintenance, or transmission of Protected Health Information for or on behalf of CUHC.

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

Data Use Agreement is a contract obtained from a Covered Entity that contains satisfactory assurances that meet the requirements of Section 164.514(e)(4) that a recipient of Limited Data Sets will only use or disclose the PHI for limited purposes.

Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.

Limited Data Set – see definition above Policy Text #1

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.

Research is a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge and includes the development of research repositories and databases for research purposes.

Workforce means employees faculty, volunteers and trainees at, and other persons affiliated with CUHC whose work is under the direct control of CUHC, regardless of whether they are paid by CUHC.