HIPAA Privacy Program

Do I have to account for disclosures when I'm using a limited data set?

No, disclosures of "limited data sets" are not subject to the HIPAA accounting of disclosures requirements.  The Department of Health and Human Services (DHHS) has taken the position that the privacy of individuals with respect to PHI disclosed in a "Limited Data Set" can be adequately protected through a single DUA.

If the intended recipient of a limited data set is also creating the limited data set as my business associate, do I need both a Data Use Agreement and Business Associate Agreement?

Yes, you will need both a Data Use Agreement (DUA) and Business Associate Agreement (BAA) because the Covered Entity or Hybrid Covered Entity (UA) is providing the recipient with PHI that includes direct identifiers.  For that reason, a BAA would be required to disclose the direct identifiers to the recipient.  Once the Limited Data Set is created under the BAA, all of the PHI, other than the PHI qualifying as the limited data set under the DUA, must be returned to UA.   

When do I need to obtain a DUA?

A DUA must be entered into before there is any use or disclosure of a Limited Data Set to an outside institution or party. 

How are Limited Data Sets created?

A HIPAA Covered Entity, or a Hybrid Covered Entity like UA, may use a member of its own workforce to create the "Limited Data Set."  Alternatively, the recipient may create the "Limited Data Set," so long as the recipient is acting as a Business Associate or Subcontractor (pursuant to a Business Associate Agreement) of the Covered Entity or Hybrid Covered Entity.  

What is a Limited Data Set?

A Limited Data Set is a data set that is stripped of certain direct identifiers specified in the HIPAA Privacy Rule.  A Limited Data Set may be disclosed to an outside party without a patient’s authorization only if the purpose of the disclosure is for research, public health, or health care operations purposes and the person or entity receiving the information signs a data use agreement (DUA) with the covered entity or its business associate.

Who is responsible for obtaining a Data Use Agreement (DUA)?

UA must enter into a Data Use Agreement (DUA) whenever it is transmitting or receiving a Limited Data Set, a type of Protected Health Information (PHI), for research, public health activities or health care operations. 

UA Contract Offices and Principal Investigators (PIs)/Business Owners are responsible for:

1. Determining if a Limited Data Set is involved for a specific purpose (research, public health activities, health care operations), and if so;

2. Determining whether:

Who is a Business Associate?

A Business Associate is a person or entity who, on behalf of a HIPAA Covered Entity, or Hybrid Covered Entity like UA, performs or assists in the performance of a function or activity or provides support services, while not a member of the workforce, to the Covered Entity involving the use or disclosure of individually identifiable health information.  

What is a Business Associate Agreement (BAA)?

HIPAA requires that a Covered Entity/Hybrid Covered Entity enter into a Business Associate Agreement (BAA) any time it will use a contractor or other non-workforce member to perform "Business Associate" services or activities on behalf of the Covered Entity.  The purpose of the BAA is to protect the data and ensure that any party who performs functions/activities on behalf of the covered entity and will handle PHI in carrying out those duties adhere to certain standards to protect the data.

Subscribe to RSS - HIPAA Privacy Program

Subscribe to the UArizona Impact in Action newsletter to receive featured stories and event info to connect you with UArizona's research, innovation, entrepreneurial ventures, and societal impacts.

Subscribe now