Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Other Requirements Relating to Uses and Disclosures of PHI: Limited Data Set - § 164.514(e)

    As Contained in the HHS HIPAA Privacy Rules

     

    HHS Regulations as Amended January 2013
    Other Requirements Relating to Uses and Disclosures of PHI: Limited Data Set - § 164.514(e)

     

    (e)(1) Standard: Limited data set. A covered entity may use or disclose a limited data set that meets the requirements of paragraphs (e)(2) and (e)(3) of this section, if the covered entity enters into a data use agreement with the limited data set recipient, in accordance with paragraph (e)(4) of this section.

    (2) Implementation specification: Limited data set: A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

    (i) Names;

    (ii) Postal address information, other than town or city, State, and zip code;

    (iii) Telephone numbers;

    (iv) Fax numbers;

    (v) Electronic mail addresses;

    (vi) Social security numbers;

    (vii) Medical record numbers;

    (viii) Health plan beneficiary numbers;

    (ix) Account numbers;

    (x) Certificate/license numbers;

    (xi) Vehicle identifiers and serial numbers, including license plate numbers;

    (xii) Device identifiers and serial numbers;

    (xiii) Web Universal Resource Locators (URLs);

    (xiv) Internet Protocol (IP) address numbers;

    (xv) Biometric identifiers, including finger and voice prints; and

    (xvi) Full face photographic images and any comparable images.

    (3) Implementation specification: Permitted purposes for uses and disclosures. (i) A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only for the purposes of research, public health, or health care operations.

    (ii) A covered entity may use protected health information to create a limited data set that meets the requirements of paragraph (e)(2) of this section, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity.

    (4) Implementation specifications: Data use agreement—(i) Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes.

    (ii) Contents. A data use agreement between the covered entity and the limited data set recipient must:

    (A) Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity;

    (B) Establish who is permitted to use or receive the limited data set; and

    (C) Provide that the limited data set recipient will:

    (1) Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;

    (2) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;

    (3) Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;

    (4) Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and

    (5) Not identify the information or contact the individuals.

    (iii) Compliance. (A) A covered entity is not in compliance with the standards in paragraph (e) of this section if the covered entity knew of a pattern of activity or practice of the limited data set recipient that constituted a material breach or violation of the data use agreement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:

    (1) Discontinued disclosure of protected health information to the recipient; and

    (2) Reported the problem to the Secretary.

    (B) A covered entity that is a limited data set recipient and violates a data use agreement will be in noncompliance with the standards, implementation specifications, and requirements of paragraph (e) of this section.

     

    HHS Description and Commentary From the January 2013 Amendments
    Other Requirements Relating to Uses and Disclosures of PHI: Limited Data Set

    We propose to remove the reference to subcontractors in § 164.514(e)(4)(ii)(C)(4) (regarding data use agreements for limited data sets) to avoid confusion since the term “subcontractor” is now a defined term under the HIPAA Rules with a particular meaning that is related to business associates.

     

    HHS Description of August 2002 Revisions
    Other Requirements Relating to Uses and Disclosures of PHI: Limited Data Set

     

    March 2002 NPRM. As noted above, the Department heard many concerns that the de-identification standard in the Privacy Rule could curtail important research, public health, and health care operations activities. Specific concerns were raised by State hospital associations regarding their current role in using patient information from area hospitals to conduct and disseminate analyses that are useful for hospitals in making decisions about quality and efficiency improvements. Similarly, researchers raised concerns that the impracticality of using de-identified data would significantly increase the workload of IRBs because waivers of individual authorization would need to be sought more frequently for research studies even though no direct identifiers were needed for the studies. Many of these activities and studies were also being pursued for public health purposes. Some commenters urged the Department to permit covered entities to disclose protected health information for research if the protected health information is facially de-identified, that is, stripped of direct identifiers, so long as the research entity provides assurances that it will not use or disclose the information for purposes other than research and will not identify or contact the individuals who are the subjects of the information.

    In response to these concerns, the Department, in the NPRM, requested comments on an alternative approach that would permit uses and disclosures of a limited data set which would not include direct identifiers but in which certain potentially identifying information would remain. The Department proposed limiting the use or disclosure of any such limited data set to research, public health, and health care operations purposes only.

    From the de-identification safe harbor list of identifiers, we proposed the following as direct identifiers that would have to be removed from any limited data set: name, street address, telephone and fax numbers, e-mail address, social security number, certificate/license number, vehicle identifiers and serial numbers, URLs and IP addresses, and full face photos and any other comparable images. The proposed limited data set could include the following identifiable information: admission, discharge, and service dates; date of death; age (including age 90 or over); and five-digit zip code.

    The Department solicited comment on whether one or more other geographic units smaller than State, such as city, county, precinct, neighborhood or other unit, would be needed in addition to, or be preferable to, the five-digit zip code. In addition, to address concerns raised by commenters regarding access to birth date for research or other studies relating to young children or infants, the Department clarified that the Privacy Rule de-identification safe harbor allows disclosure of the age of an individual, including age expressed in months, days, or hours. Given that the limited data set could include all ages, including age in months, days, or hours (if preferable), the Department requested comment on whether date of birth would be needed and, if so, whether the entire date would be needed, or just the month and year.

    In addition, to further protect privacy, the Department proposed to condition the disclosure of the limited data set on covered entities obtaining from the recipients a data use or similar agreement, in which the recipient would agree to limit the use of the limited data set to the purposes specified in the Privacy Rule, to limit who can use or receive the data, and agree not to re-identify the data or contact the individuals.

    Final Modifications. In view of the support in the public comments for the concept of a limited data set, the Department determines that adoption of standards for the use and disclosure of protected health information for this purpose is warranted. Therefore, the Department adds at § 164.514(e) a new standard and implementation specifications for a limited data set for research, public health, or health care operations purposes if the covered entity (1) uses or discloses only a “limited data set” as defined at § 164.514(e)(2), and (2) obtains from the recipient of the limited data set a “data use agreement” as defined at § 164.514(e)(4). In addition, the Department adds to the permissible uses and disclosures in § 164.502(a) express reference to the limited data set standards.

    The implementation specifications do not delineate the data that can be released through a limited data set. Rather, the Rule specifies the direct identifiers that must be removed for a data set to qualify as a limited data set. As with the de-identification safe harbor provisions, the direct identifiers listed apply to protected health information about the individual or about relatives, employers, or household members of the individual. The direct identifiers include all of the facial identifiers proposed in the preamble to the NPRM: (1) name; (2) street address (renamed postal address information, other than city, State and zip code); (3) telephone and fax numbers; (4) e-mail address; (5) social security number; (6) certificate/license numbers; (7) vehicle identifiers and serial numbers; (8) URLs and IP addresses; and (9) full face photos and any other comparable images. The public comment generally supported the removal of this facially identifying information.

    In addition to these direct identifiers, the Department designates the following information as direct identifiers that must be removed before protected health information will be considered a limited data set: (1) medical record numbers, health plan beneficiary numbers, and other account numbers; (2) device identifiers and serial numbers; and (3) biometric identifiers, including finger and voice prints. Only a few commenters specifically stated a need for some or all of these identifiers as part of the limited data set. For example, one commenter wanted an (encrypted) medical record number to be included in the limited data set to support disease management planning and program development to meet community needs and quality management. Another commenter wanted the health plan beneficiary number included in the limited data set to permit researchers to ensure that results indicating sex, gender or ethnic differences were not influenced by the participant’s health plan. And a few commenters wanted device identifiers and serial numbers included in the limited data set, to facilitate product recalls and patient safety initiatives. However, the Department has not been persuaded that the need for these identifiers outweighs the potential privacy risks to the individual by their release as part of a limited data set, particularly when the Rule makes other avenues available for the release of information that may directly identify an individual.

    The Department does not include in the list of direct identifiers the “catch-all” category from the de-identification safe harbor of “any other unique identifying number, characteristic or code.” While this requirement is essential to assure that the de-identification safe harbor does in fact produce a de-identified data set, it is difficult to define in advance in the context of a limited data set. Since our goal in establishing a limited data set is not to create de-identified information and since the data use agreement constrains further disclosure of the information, we determined that it would only add complexity to implementation of the limited data set with little added protection.

    In response to wide public support, the Department does not designate as a direct identifier any dates related to the individual or any geographic subdivision other than street address. Therefore, as part of a limited data set, researchers and others involved in public health studies will have access to dates of admission and discharge, as well as dates of birth and death for the individual. We agree with commenters who asserted that birth date is critical for certain research, such as longitudinal studies where there is a need to track individuals across time and for certain infant-related research. Rather than adding complexity to the Rule by trying to carve out an exception for these specific situations, and other justifiable uses, we rely on the minimum necessary requirement to keep the Rule simple while avoiding abuse. Birth date should only be disclosed where the researcher and covered entity agree that it is needed for the purpose of the research. Further, even though birth date may be included with a limited data set, the Department clarifies, as it did in the preamble to the proposed rulemaking, that the Privacy Rule allows the age of an individual to be expressed in years or in months, days, or hours as appropriate.

    Moreover, the limited data set may include the five-digit zip code or any other geographic subdivision, such as State, county, city, precinct and their equivalent geocodes, except for street address. We substitute for street address the term postal address information, other than city, State and zip code in order to make clear that individual elements of postal address such as street name by itself are also direct identifiers. Commenters identified a variety of needs for various geographical codes (county, city, neighborhood, census tract, precinct) to support a range of essential research, public health and health care operations activities. Some of the examples provided included the need to analyze local geographic variations in disease burdens or in the provision of health services, conducting research looking at pathogens or patterns of health risks which may need to compare areas within a single zip code, or studies to examine data by county or neighborhood when looking for external causes of disease, as would be the case for illnesses and diseases such as bladder cancer that may have environmental links. The Department agrees with these commenters that a variety of geographical designations other than five-digit zip code are needed to permit useful and significant studies and other research to go forward unimpeded. So long as an appropriate data use agreement is in place, the Department does not believe that there is any greater privacy risk in including in the limited data set such geographic codes than in releasing the five-digit zip code.

    Finally, the implementation specifications adopted at § 164.514(e) require a data use agreement between the covered entity and the recipient of the limited data set. The need for a data use agreement and the core elements of such an agreement were widely supported in the public comment.

    In the NPRM, we asked whether additional conditions should be added to the data use agreement. In response, a few commenters made specific suggestions. These included prohibiting further disclosure of the limited data set except as required by law, prohibiting further disclosure without the written consent of the covered entity, requiring that the recipient safeguard the information received in the limited data set, prohibiting further disclosure unless the data has been de-identified utilizing the statistical or safe harbor methods of the Privacy Rule, and limiting use of the data to the purpose for which it was received.

    In response to these comments, in the final Rule we specify that the covered entity must enter into a data use agreement with the intended recipient which establishes the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research, public health, or health care operations, limits who can use or receive the data, and requires the recipient to agree not to re-identify the data or contact the individuals. In addition, the data use agreement must contain adequate assurances that the recipient use appropriate safeguards to prevent use or disclosure of the limited data set other than as permitted by the Rule and the data use agreement, or as required by law. These adequate assurances are similar to the existing requirements for business associate agreements.

    Since the data use agreement already requires the recipient to limit who can use or receive the data, and to prevent uses and disclosures beyond those stated in the agreement, and since we could not anticipate all the possible scenarios under which a limited data set with a data use agreement would be created, the Department concluded that adding any of the other suggested restrictions would bring only marginal additional protection while potentially impeding some of the purposes intended for the limited data set. The Department believes the provisions of the data use agreement provide a firm foundation for protection of the information in the limited data set, but encourages and expects covered entities and data recipients to further strengthen their agreements to conform to current practices.

    We do not specify the form of the data use agreement. Thus, private parties might choose to enter into a formal contract, while two government agencies might use a memorandum of understanding to specify the terms of the agreement. In the case of a covered entity that wants to create and use a limited data set for its own research purposes, the requirements of the data use agreement could be met by having affected workforce members sign an agreement with the covered entity, comparable to confidentiality agreements that employees handling sensitive information frequently sign. A few commenters questioned the enforceability of the data use agreements. The Department clarifies that, if the recipient breaches a data use agreement, HHS cannot take enforcement action directly against that recipient unless the recipient is a covered entity. Where the recipient is a covered entity, the final modifications provide that such covered entity is in noncompliance with the Rule if it violates a data use agreement. See § 164.514(e)(4)(iii)(B). Additionally, the Department clarifies that the disclosing covered entity is not liable for breaches of the data use agreement by the recipient of the limited data set. However, similar to business associate agreements, if a covered entity knows of a pattern of activity or practice of the data recipient that constitutes a material breach or violation of the data recipient’s obligation under the data use agreement, then it must take reasonable steps to cure the breach or end the violation, as applicable, and, if unsuccessful, discontinue disclosure of protected health information to the recipient and report the problem to the Secretary. And the recipient is required to report to the covered entity any improper uses or disclosures of limited data set information of which it becomes aware. We also clarify that the data use agreement requirements apply to disclosures of the limited data set to agents and subcontractors of the original limited data set recipient.

    In sum, we have created the limited data set option because we believe that this mechanism provides a way to allow important research, public health and health care operations activities to continue in a manner consistent with the privacy protections of the Rule. We agree with those commenters who stated that the limited data set is not de-identified information, as retention of geographical and date identifiers measurably increases the risk of identification of the individual through matching of data with other public (or private) data sets. However, we believe that the limitations on the specific uses of the limited data set, coupled with the requirements of the data use agreement, will provide sufficient protections for privacy and confidentiality of the data. The December 2000 Privacy Rule preamble on the statistical method for de-identification discussed the data use agreement as one of the techniques identified that can be used to reduce the risk of disclosure. A number of Federal agencies that distribute data sets for research or other uses routinely employ data use agreements successfully to protect and otherwise restrict further use of the information.

    We note that, while disclosures of protected health information for certain public health purposes is already allowed under § 164.512(b), the limited data set provision may permit disclosures for some public health activities not allowed under that section. These might include disease registries maintained by private organizations or universities or other types of studies undertaken by the private sector or non-profit organizations for public health purposes.

    In response to comments, the Department clarifies that, when a covered entity discloses protected health information in a limited data set to a researcher who has entered into an appropriate data use agreement, the covered entity does not also need to have documentation from an IRB or a Privacy Board that individual authorization has been waived for the purposes of the research. However, the covered entity may not disclose any of the direct identifiers listed in § 164.514(e) without either the individual’s authorization or documentation of an IRB or Privacy Board waiver of that authorization.

    The Department further clarifies that there are other requirements in the Privacy Rule that apply to disclosure of a limited data set, just as they do to other disclosures. For example, any use, disclosure, or request for a limited data set must also adhere to the minimum necessary requirements of the Rule. The covered entity could accomplish this by, for example, requiring the data requestor, in the data use agreement, to specify not only the purposes of the limited data set, but also the particular data elements, or categories of data elements, requested. The covered entity may reasonably rely on a requested disclosure as the minimum necessary, consistent with the provisions of § 164.514(d)(3)(iii). As an example of the use of the minimum necessary standard, a covered entity who believes that another covered entity’s request to include date of birth in the limited data set is not warranted is free to negotiate with the recipient about that requirement. If the entity requesting a limited data set including date of birth is not one on whose request a covered entity may reasonably rely under § 164.514(d)(3)(iii), and the covered entity believes inclusion of date of birth is not warranted, the covered entity must either negotiate a reasonably necessary limited data set or not make a disclosure.

    The Department amends § 164.514(e)(3)(ii) to make clear that a covered entity may engage a business associate to create a limited data set, in the same way it can use a business associate to create de-identified data. As with de-identified data, a business associate relationship arises even if the limited data set is not being created for the covered entity’s own use. For instance, if a researcher needs county data, but the covered entity’s data contains only the postal address of the individual, a business associate may be used to convert the covered entity’s geographical information into that needed by the researcher. The covered entity may hire the intended recipient of the limited data set as a business associate for this purpose. That is, the covered entity may provide protected health information, including direct identifiers, to a business associate who is also the intended data recipient, to create a limited data set of the information responsive to the business associate’s request.

    Finally, the Department amends § 164.528 to make clear that the covered entity does not need to include disclosures of protected health information in limited data sets in any accounting of disclosures provided to the individual. Although the Department does not consider the limited data set to constitute de-identified information, all direct identifiers are removed from the limited data set and the recipient of the data agrees not to identify or contact the individual. The burden of accounting for these disclosures in these circumstances is not warranted, given that the data may not be used in any way to gain knowledge about a specific individual or to take action in relation to that individual.

     

    HHS Response to Comments Received - Published With the August 2002 Revisions
    Other Requirements Relating to Uses and Disclosures of PHI: Limited Data Set

     

    Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.

    Almost all those who commented on this issue supported the basic premise of the limited data set for research, public health, and health care operations. Many of these commenters used the opportunity to reiterate their opposition to the safe harbor and statistical de-identification methods, and some misinterpreted the limited data set proposal as creating another safe-harbor form of de-identified data. In general, commenters agreed with the list of direct identifiers proposed in the preamble of the NPRM; some recommended changes. The requirement of a data use agreement was similarly widely supported, although a few commenters viewed it as unnecessary and others offered additional terms which they argued would make the data use agreement more effective. Others questioned the enforceability of the data use agreements.

    A few commenters argued that the limited data set would present a significant risk of identification of individuals because of the increased ability to use the other demographic variables (e.g., race, gender) in such data sets to link to other publicly available data. Some of these commenters also argued that the development of computer-based solutions to support the statistical method of de-identification is advancing rapidly and can support, in some cases better than the limited data set, many of the needs for research, public health and health care operations. These commenters asserted that authorization of the limited data set approach would undermine incentives to further develop statistical techniques for de-identification that may be more protective of privacy.

    Most commenters who supported the limited data set concept favored including the five-digit zip code, but also wanted other geographic units smaller than a State to be included in the limited data set. Examples of other geographic units that commenters argued are needed for research, public health or health care operational purposes were county, city, full zip code, census tract, and neighborhood. Various analytical needs were cited to support these positions, such as tracking the occurrence of a particular disease to the neighborhood level or using county level data for a needs assessment of physician specialties. A few commenters opposed inclusion of the 5-digit zip code in the limited data set, recommending that the current Rule, which requires data aggregation at the 3-digit zip code level, remain the standard.

    Similarly, the majority of commenters addressing the issue supported inclusion of the full birth date in the limited data set. These commenters asserted that the full birth date was needed for longitudinal studies, and similar research, to assure accuracy of data. Others stated that while they preferred access to the full birth date, their data needs would be satisfied by inclusion of at least the month and year of birth in the limited data set. A number of commenters also opposed inclusion of the date of birth in the limited data as unduly increasing the risk of identification of individuals.

    Response to Other Public Comments.

    Comment: A small number of commenters argued that the development of computer-based solutions to support the statistical method of de-identification is advancing rapidly and can support, in some cases better than the limited data set, many of the needs for research, public health and health care operations. They also asserted that authorization of the limited data set approach will undermine incentives to further develop statistical techniques that will be more protective of privacy than the limited data set. They proposed imposing a sunset clause on the limited data set provision in order to promote use of de-identification tools.

    Response: We agree that progress is being made in the development of electronic tools to de-identify protected health information. However, the information presented by commenters did not convince us that current techniques meet all the needs identified or are easy enough to use that they can have the broad application needed to support key research, public health and health care operations needs. Where de-identification can provide better outcomes than a limited data set, purveyors of such de-identification tools will have to demonstrate to covered entities the applicability and ease of use of their products. We do not believe a sunset provision on the limited data set authority is appropriate. Rather, as part of its ongoing review of the Privacy Rule in general, and the de-identification provisions in particular, the Office for Civil Rights will periodically assess the need for these provisions.

    Comment: Some commenters said that if HHS clearly defines direct identifiers and facially identifiable information, there is no need for a data use agreement.

    Response: We disagree. As previously noted, the resulting limited data set is not de-identified; it still contains individually identifiable health information. As a means to assure continued protection of the information once it leaves the control of the covered entity, we believe a data use agreement is essential.

    Comment: Several commenters wanted to be able to have a single coordinated data use agreement between a State hospital association and its member hospitals where data collection is coordinated through the hospital association. In addition, there was concern that requiring a data use agreement and a business associate agreement in this circumstance would create an excessive and unnecessary burden.

    Response: Nothing in the requirement for a data use agreement prevents a State hospital association and its member hospitals from being parties to a common data use agreement. Furthermore, that data use agreement can be combined with a business associate agreement into a single agreement that meets the requirements of both Privacy Rule provisions.

    Comment: A few commenters argued that a data use agreement should not be required for data users getting a limited data set and performing data analysis as part of the Medicaid rebate validation process under which third-party data vendors, working for pharmaceutical companies, collect prescription claims data from State agencies and analyze the results for errors and discrepancies. They argued that State agencies often find entering into such contracts difficult and time consuming. Consequently, if States have to establish data use or similar agreements, then the Medicaid rebate validation process could be adversely impacted.

    Response: We are not persuaded that there is a compelling reason to exempt this category of limited data set use from the requirements for a data use agreement, as compared to other important uses. The data use agreement is key to ensuring the integrity of the limited data set process and avoiding inappropriate further uses and disclosures.

    Comment: One commenter stated that allowing disclosure of the limited data set without IRB or Privacy Board review would create a loophole in the Privacy Rule, with Federally funded research continuing to undergo IRB review while private research would not.

    Response: The Rule continues to make no distinction between disclosure of protected health information to Federally and privately funded researchers. To obtain a limited data set from a covered entity, both Federally-funded and privately-funded researchers must enter into a data use agreement with the covered entity. One of the reasons for establishing the limited data set provisions is that the concept of “personally identifiable information” that triggers IRB review of research that is subject to the Common Rule does not coincide with the definition of “individually identifiable health information” in the Privacy Rule. The Department believes that the limited data set comes closer to the type of information not requiring IRB approval under the Common Rule than does the de-identified data set of the Privacy Rule. However, there is no uniform definition of “personally identifiable information” under the Common Rule; rather, as a matter of practice, it is currently set by each individual IRB.

    Comment: A few commenters suggested expanding the allowable purposes for the limited data set. One commenter proposed including payment as an allowable purpose, in order to facilitate comparison of premiums charged to insured versus uninsured patients. A few commenters wanted to allow disclosures to journalists if the individual’s name and social security number have been removed and if, in the context of the record or file, the identity of the patient has not been revealed. A few commenters suggested that there was no need to restrict the purpose at all as long as there is a data use agreement. A couple of commenters wanted to extend the purpose to include creation or maintenance of research databases and repositories.

    Response: If the comparison of premiums charged to different classes of patients is being performed as a health care operation of another entity, then a limited data set could be used for this purpose. It seems unlikely that this activity would occur in relation to a payment activity, so a change to include payment as a permissible purpose is not warranted. A “payment” activity must relate to payment for an individual and, thus, will need direct identifiers, and uses and disclosures of protected health information for such purposes is permitted under § 164.506.

    With respect to disclosures to journalists, while recognizing the important role performed by newspapers and other media in reporting on public health issues and the health care system, we disagree that the purposes of the limited data set should be expanded to include journalists. A key element of the limited data set is that the recipient enter into a data use agreement that would limit access to the limited data set, prohibit any attempt to identify or contact any individual, and limit further use or disclosure of the limited data set. These limitations are inherently at odds with journalists’ asserted need for access to patient information.

    The suggestion to allow disclosure of a limited data set for any purpose if there is a data use agreement would undermine the purpose of the Privacy Rule to protect individually identifiable health information from unauthorized disclosures and would conflict with the requirement in the data use agreement to restrict further use to research, public health, health care operations purposes. The Department clarifies that research encompasses the establishment of research databases and repositories. Therefore, no change to the proposal is necessary.

    Comment: One commenter said that HHS should not create a list of excluded direct identifiers; rather it should enunciate principles and leave it to researchers to apply the principles.

    Response: The statistical method of de-identification is based on scientific principles and methods and leaves the application to the researcher and the covered entity. Unfortunately, many have viewed this approach as too complex or imprecise for broad use. To allow broad discretion in selection of variables in the creation of a limited data set would trigger the same concerns as the statistical method, because some measure of reasonableness would have to be established. Commenters have consistently asked for precision so that they would not have to worry as to whether they were in compliance with the requirements of the Privacy Rule. The commenter’s proposal runs counter to this desire for precision.

    Comment: One commenter wanted prescription numbers allowed in a limited data set because they do not include any “facially identifiable information.”

    Response: Prescription numbers are medical record numbers in that they are used to track an individual’s encounter with a health care provider and are uniquely associated with that individual. The fact that an individual receives a new prescription number for each prescription, even if it is randomly generated, is analogous to an individual receiving a separate medical record number for different hospital visits. Thus, a prescription number is an excluded direct identifier under the medical record number exclusion for the limited data set (and also must be excluded in the creation of de-identified data).

    Comment: One commenter wanted clarification that a sponsor of a multi-employer group health plan could utilize the limited data set approach for the purpose of resolving claim appeals. That commenter also suggested that if the only information that a plan sponsor received was the limited data set, the group health plan should be able to give that information to the plan sponsor without amending plan documents. In lieu of the limited data set, this commenter wanted clarification that redacted information, as delineated in their comment, is a reasonable way to meet the minimum necessary standard if the plan sponsor has certified that the plan documents have been amended pursuant to the requirements of the Privacy Rule.

    Response: Uses and disclosures of a limited data set is authorized only for public health, research, and health care operations purposes. A claims appeal is more likely to be a payment function, rather than a health care operation. It is also likely to require use of protected health information that includes direct identifiers. The Department disagrees with the commenter’s suggestions that the Rule should allow group health plans to disclose a limited data set to a plan sponsor without amending the plan documents to describe such disclosures. Limited data sets are not de-identified information, and thus warrant this degree of protection. Therefore, only summary health information and the enrollment status of the individual can be disclosed by the group health plan to the plan sponsor without amending the plan documents. The Privacy Rule does not specify what particular data elements constitute the minimum necessary for any particular purpose.