Robin,
There are two provisions in the Privacy Rule that address
de-identification (described in 45 CFR 164.514 “Other requirements
relating to uses and disclosures of protected health information”):
statistical certification [§164.514(b)(1)]; and removal
of 18 specific data elements [§164.514(b)(2)(i)(A-R)] (‘Safe
Harbor method’). The statistical certification method will require
significant work and documentation to demonstrate the data are in fact de-identified.
The Safe Harbor method is simpler to do, but dates of any kind (I assume ‘birthrates’
was a typo) will make your data identifiable under the Rule.
A Limited Data Set [§164.514(e)(1)]
allows more data to be included (only 16 elements require removal). Dates,
subject identifiers based on PHI (e.g., subject ID containing initials); and
geographic areas smaller than a state are among the permitted elements. However,
using a Limited Data Set will require you to have a Data Use Agreement [§164.514(e)(4)]
in place with the recipient of the data.
This also assumes that there are no state or local regulations
or internal policies that make these methods unusable to you.
Bruce
Bruce Steinert, PhD, CCRA
Administrative Director, Clinical Trials Center
Research Institute
NorthShore University HealthSystem
847-570-1002 (Office)
Legal Disclaimer: Information
contained in this e-mail, including any files transmitted with it, may contain
confidential medical or business information intended only for use by the
intended recipient(s). Any unauthorized disclosure, use, copying,
distribution or taking of any action based on the contents of this email is
strictly prohibited. Review by any individual other than the intended
recipient does not waive or surrender the physician-patient privilege or any
other legal rights. If you received this e-mail in error, please delete it
immediately and notify the sender by return email.
From: Research
Administration List [mailto:xxxxxx@lists.healthresearch.org] On Behalf Of xxxxxx@mcdaniel.edu
Sent: Monday, February 25, 2013 4:38 PM
To: xxxxxx@lists.healthresearch.org
Subject: [RESADM-L] HIPAA Help
I am in need of some guidance. I haven't worked with HIPAA
in over 3 years, and I don't have anyone here to ask.
What is the difference between "de-identified
data" and "limited data sets" in terms of the HIPAA privacy
rule? Specifically, I have an IRB protocol under review where they are
collecting birthrates of nursing home patients. I'm more than willing to share
my concerns and more details off-list to anyone who could help me.
Thank you, Robin
*****************************************
Robin N Dewey, MS, CRA
Director, Office of Academic and Government Grants
McDaniel College
2 College Hill
Westminster, MD 21157-4390
Voice: 410-386-4699
Cell: 585-797-8536
Skype: rndewey
======================================================================
Instructions on how to use the RESADM-L Mailing List, including subscription
information and a web-searchable archive, are available via our web site at http://www.healthresearch.org
(click on the "LISTSERV" link in the upper right corner)
A link directly to helpful tips: http://tinyurl.com/resadm-l-help
======================================================================
======================================================================
Instructions on how to use the RESADM-L Mailing List, including subscription
information and a web-searchable archive, are available via our web site at http://www.healthresearch.org
(click on the "LISTSERV" link in the upper right corner)
A link directly to helpful tips: http://tinyurl.com/resadm-l-help
======================================================================