Health Information Compliance Alert

One of the Department of Health and Human Services amendments to the privacy rule has slapped a broad grin on the faces of covered entities throughout the nation.

One of the most significant changes to the HHS newly revamped privacy rule is the so-called "limited data set" of protected health information. The LDS may be disclosed for research, public health, or health care operations under a "data use agreement."

An LDS is protected health information that has been stripped of 16 identifiers of individuals and their relatives, household members, and employers. They include: names; postal address information, other than town or city, state, and zip code; telephone numbers; fax numbers; electronic mail addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; and full face photographic images and any comparable images.

Unlike de-identified data, the LDS may include birth dates and certain geographic data at the zip code, municipality and state level. Covered entities need to obtain a data use agreement from the intended recipient of the LDS before disclosing that information to the recipient. According to an alert published by Milwaukee-based law firm Michael Best & Friedrich, the data use agreement is similar to a business associate contract and obligates the recipient to:

use and disclose the information in the LDS only for the permitted purposes of research, public health or health care operations;

report any breaches of those use and disclosure limits;

ensure that any agent or subcontractor permitted to access the LDS agrees to similar use and disclosure restrictions; and

prohibit the re-identification of the data or contact any individuals by using information from the LDS.

The new LDS provision will be of great benefit to research hospitals, says attorney Robert Markette with Indianapolis-based Gilliland & Caudill. He says that prior to the inclusion of the LDS, research hospitals had to keep track of PHI used for research and, if requested, provide an accounting to the individual.

Hospitals can now use PHI for research without having to provide an accounting. Instead, he says, they can provide a much more generic, and separate, document that notifies a patient that his information may have been used for a particular research project.

Markette tells Eli hes aware of many healthcare information systems personnel in local hospitals who are thrilled with the new LDS provision. In crafting the LDS system, he asserts, "HHS has found a way to strike a balance between patient privacy and medical research."

In February a group of over 80 covered entities signed a letter asking HHS to consider allowing certain information to be used specifically for research purposes. The letter drafted by the Confidentiality Coalition, which is chaired by the Healthcare Leadership Councilexpressed deep concern about the privacy rules standard for de-identifying medical information, and urged the HHS "to modify this standard by limiting it to direct identifiers."

The letter addressed such issues as epide-miological studies, specifically addressing cases for which admission dates, discharge dates, and dates of death represent "a common requirement to track and understand disease." The Coalition also noted that zip codes and serial numbers, for example, do not directly identify individuals. Apparently, HHS agreed.

"This change really does reflect what we asked for in the letter," says Melissa Bartlett, director of private market regulation for the American Association of Health Plans. "I think it does exactly what we identified as a major problem: It safeguards ongoing research."

Bartlett tells Eli that HHS rule actually goes a step further, since the department recognized that "certain information that would be considered identified information under the privacy rule the 18 de-identifying characteristics when put in aggregate form, or even when used alone there are certain necessary uses of that information where the rule could interfere with that, so they extended that to public health activities and to health care operations activities."