Limited Data Set Policy
When appropriate and feasible, a Limited Data Set shall be used, disclosed, or requested by the Columbia University Healthcare Component (CUHC) rather than a completely identifiable data set of Protected Health Information (PHI), consistent with university and legal requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Reason(s) for the Policy
CUHC is committed to protecting patient privacy as mandated by applicable city, state, and federal laws and regulations and must comply with legal obligations, including HIPAA, CUHC policies, and minimum necessary requirements.
Primary Guidance To Which This Policy Responds
45 CFR §§ 164.504(e)(3)(iv), 164.514
Who is Governed by This Policy
All CUHC workforce members.
Who Should Know This Policy
All CUHC workforce members.
Exclusions and Special Situations
Refer to the Institutional Review Board Policy on the Privacy Rule and the Use of Health Information in Research for additional guidance on the use of a limited data set for research purposes.
Limited Data Set
Limited Data Set is health information that excludes the following identifiers regarding an individual and the individual's relatives, employers, or household members:
- Names (including initials);
- Postal address information, other than town or city, state, and ZIP Code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social Security numbers (including partial SSNs);
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web universal resource locators (URLs);
- Internet protocol (IP) address numbers;
- Biometric identifiers, including fingerprints and voiceprints; and/or
- Full-face photographic images and any comparable images
Permitted Uses and Disclosures
CUHC may use or disclose a Limited Data Set (LDS) only for a permissible use or disclosure of PHI or for purposes of Research, public health activities or CUHC’s health care operations, in accordance with applicable CUHC policies. A Workforce member’s use, disclosure or request of a LDS shall be deemed to satisfy the minimum necessary requirement (see CUHC Minimum Necessary Policy). All requests for use or disclosure of a LDS shall be approved by the Chief Privacy Officer or the Institutional Review Board (IRB). The Chief Privacy Officer or the IRB shall ensure that the health information qualifies as a LDS. The Chief Privacy Officer or the IRB shall ensure that the recipient of the LDS has, where required by applicable law, entered into an appropriate Data Use Agreement with CUHC.
Disclosure of a Limited Data Set to a Third Party Contractor for Non-Research Purposes
- A Limited Data Set may be disclosed to a third party contractor for public health purposes or to perform health care operations for or on behalf of CUHC.
- CUHC may disclose a Limited Data Set to a third party contractor only if the third party contractor has signed an appropriate Data Use Agreement with CUHC.
- Any question regarding whether a Data Use Agreement is required shall be directed to the Chief Privacy Officer.
- The Chief Privacy Officer is responsible for reviewing all non-research related Data Use Agreements. The Chief Privacy Officer shall ensure that all Data Use Agreements used or received by CUHC comply with HIPAA.
- No changes to a Data Use Agreement are permitted until approved by the Chief Privacy Officer, in consultation with the Office of the General Counsel, as necessary.
- If a third party contractor forwards its own version of a Data Use Agreement to CUHC, the agreement shall be forwarded to the Chief Privacy Officer, in consultation with the Office of General Counsel, as necessary for approval.
- A copy of each signed non-research related Data Use Agreement shall be maintained by the Privacy Office.
Disclosure of a Limited Data Set for Research Purposes
- A Data Use Agreement for Disclosure of a Limited Data Set for Research Purposes (RASCAL HIPAA Form F) or another Data Use Agreement must be attached to an IRB Protocol and submitted in Rascal for review when:
- CUHC is collaborating in the research,
- the LDS originates from the CUHC,
- a waiver of authorization has not been granted, and
- the subject did not provide authorization for the proposed use.
- The IRB will review the HIPAA Data Use Agreement along with the IRB Protocol before forwarding to Sponsored Projects Administration or the Clinical Trials Office who is responsible for final review and signature on behalf of the University. A copy of the Data Use Agreement for Disclosure of a Limited Data Set for Research Purposes (RASCAL HIPAA Form F) is maintained in RASCAL.
- Note that when it is proposed that a LDS will be Used within the CUHC, it is the practice of the IRB to grant a waiver of authorization if the waiver criteria are met, rather than requiring the use of a HIPAA Data Use Agreement. (See the IRB Policy on the Privacy Rule and the Use of Health Information in Research)
Creation of a Limited Data Set
CUHC may hire a third party to create a LDS. To do so, CUHC shall enter into a Business Associate Agreement with the third party. (See Business Associate Agreement Policy)
Unauthorized Use or Disclosure by Recipient of Limited Data Set
Any pattern of activity or practice of a recipient of a LDS that appears to be inconsistent with its Data Use Agreement shall be promptly and without delay reported to the Chief Privacy Officer or the Office of the General Counsel. The Chief Privacy Officer shall investigate the alleged activity or practice. If necessary, the Chief Privacy Officer shall require the recipient to correct the activity or practice. If unsuccessful, CUHC shall discontinue disclosure of information to the recipient and the Chief Privacy Officer shall, if required by law, report the wrongful pattern of activity or practice to the Secretary of HHS and/or relevant state or local agencies.
CUHC as the Recipient of a Limited Data Set
In the event that CUHC is the recipient of a LDS from another Covered Entity, CUHC will use or disclose information contained within the LDS only as permitted by the applicable Data Use Agreement or as required or permitted by law.
Business Associate is a person or entity that performs certain functions or activities that involve the creation, receipt, maintenance, or transmission of Protected Health Information for or on behalf of CUHC.
Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.
Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.
Data Use Agreement is a contract obtained from a Covered Entity that contains satisfactory assurances that meet the requirements of Section 164.514(e)(4) that a recipient of Limited Data Sets will only use or disclose the PHI for limited purposes.
Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.
Limited Data Set – see definition above Policy Text #1
Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.
Research is a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge and includes the development of research repositories and databases for research purposes.
Workforce means employees faculty, volunteers and trainees at, and other persons affiliated with CUHC whose work is under the direct control of CUHC, regardless of whether they are paid by CUHC.