PRIVACY POLICY AND PROCEDURES	Policy #: 2100.14
LSU Health Sciences Center New Orleans Date Effective: April 14, 2003	Table of Contents

Patient Information Policy

Limited Data Set

SCOPE:

All Louisiana State University (LSU) System health care facilities and providers including, but not limited to hospitals, physician practices, clinics, schools, etc. on the LSU Health Sciences Center New Orleans Academic Campus.

Nota Bene: All LSU System health care facilities and providers including, but not limited to hospitals, physician clinics, schools, etc. on the LSU Health Sciences Center New Orleans Academic Campus, are referred to in this policy as LSUHSC-NO.

PURPOSE:

To provide guidance to the health care facilities and providers affiliated with the LSUHSC-NO in the following areas:

To outline the process for reviewing and responding to requests for limited data sets.
To provide guidance on how to create a limited data set.
To Define requirements of a Data Use Agreement for use and disclosure of a limited data set.

POLICY:

All LSUHSC-NO health care facilities and providers may use and disclose PHI in a limited data set as described in this policy.

DEFINITIONS:

Protected Health Information (sometimes referred to as “PHI”) – for purposes of this policy means individually identifiable health information, that relates to the past, present or future health care services provided to an individual. Examples of Protected Health Information include medical and billing records of the patient.

For the purposes of the definition of "Designated Record Set":

The term "record" means any item, collection, or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for LSUHSC-NO.
The term "record" also includes patient information originated by another health care provider and used by LSUHSC-NO to make decisions about a patient.
The term "record" includes tracings, photographs, videotapes, digital and other images that may be recorded to document care of the patient.

Designated Record Set is a group of records maintained by or for LSUHSC-NO that is:

The medical records and billing records about individuals maintained by or for LSUHSC-NO; or
Any records used, in whole or part, by or for LSUHSC-NO to make decisions about individuals.
Any records that meet this definition of Designated Record Set and which are held by a HIPAA Business Associate of LSUHSC-NO are part of LSUHSC-NO’s Designated Record Set.

Psychotherapy Notes – means notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual’s record. Psychotherapy notes do not include:

medication prescription and monitoring
counseling session start and stop times
the modalities and frequencies of treatment furnished
results of clinical tests, and
any summary of the following items:
- diagnosis
- functional status
- the treatment plan
- symptoms
- prognosis, and
- progress to date

Privacy Officer – Person designated by LSUHSC-NO as the Privacy Officer.

Limited Data Set – A subset of Protected Health Information (PHI) that excludes the direct identifiers listed in “Creating Limited Data Sets” portion of this policy.

PROCEDURE:

1.0

Creating limited data sets

1.1

The facility may use PHI to create a limited data set, or under a signed business associate contract, may disclose PHI to a business associate so that the business associate can create a limited data set.

1.2

Limited data sets may only be used or disclosed:

1.2.1	For the purpose of research, public health, or health care operations.
1.2.2	To another covered entity for purposes of health care operations.
1.2.3	To any health care provider for purposes of health care operations.
1.2.4	By a business associate for purposes of creating a limited data set for the facility, another entity listed above, or the business associate.

1.3

Limited Data Set: A limited data set is PHI that excludes the following direct identifiers of the patient, or of the patient’s relatives, employers or household members of the patient:

Names
Postal address information, other than town or city, State, and zip code
Telephone numbers
Fax numbers
Electronic mail addresses
Social Security numbers
Medical record numbers (including prescription numbers and clinical trials numbers)
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images

1.4

A health care facility, provider, or clinic may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the entity, provided that:

1.4.1

The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

1.4.2

The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

Note: The Federal Information Processing Standard (FIPS) 198 “Keyed-Hash Message Authentication Code” (HMAC) does not qualify as an appropriate method for de-identifying information under Federal privacy requirements; however, the HMAC methodology may be used to create a limited data set.

1.5

Accounting of Disclosures of PHI in a Limited Data Set. No accounting of disclosures is required with respect to disclosures of PHI within a limited data set.

1.6

Requests for Limited Data Sets

1.6.1

Minimum Necessary Applies. The minimum necessary standard applies to requests for limited data set information. For example, date of birth should only be disclosed where a requestor and the facility agree that it is needed for the purpose of the request. In very limited circumstances, if the requestor provides an adequate description of the purposes of the limited data set and specifies the particular data elements required, the facility can rely on a requested disclosure as the minimum necessary. See Policy on the Minimum Necessary Standard for Use and Disclosure of PHI for additional requirements for relying on information requested as meeting the minimum necessary standard.

1.7

Data Use Agreement Required

1.7.1

Recipients of a limited data set must sign a Data Use Agreement outlining the approved use of the limited data set. The facility must obtain satisfactory assurance, in the form of a Data Use Agreement that meets the requirements of the HIPAA Privacy Rule, that the recipient will only use or disclose the PHI for the limited purpose.

1.8

Data Use Agreement Contents. The Data Use Agreement between the facility and the recipient of the limited data set must:

1.8.1

Establish the permitted uses and disclosures of such information by the limited data set recipient, as stated above;

1.8.2

Not authorize the limited data set recipient to use or further disclose information in a manner that would violate the HIPAA Privacy Rule.

1.8.3

Establish who is permitted to use or receive the limited data set; and

1.8.4

Provide that the limited data set recipient will:

1.8.4.1	Not use or further disclose the information other than as permitted by the Data Use Agreement or as otherwise required by law.
1.8.4.2	Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the Data Use Agreement.

1.8.5

Report to the facility’s Privacy Officer any use or disclosure of the information not allowed by its Data Use Agreement of which it becomes aware;

1.8.6

Ensure that any agents, including a subcontractor to whom it provides the limited data set, agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and

1.8.7

Not identify the information or contact any of the patients, or the patient’s family members, employers, or household members, whose PHI is included in the limited data set.

1.9

The Limited Data Set Request and Data Use Agreement Form must be reviewed, approved or denied by the facility’s designated personnel.

2.0

Fee Schedule

2.1

The requestor of a limited data set may be asked to compensate the facility for resource expenditures related to the request.

[Note: The facility must determine if an application fee will be established for processing requests for limited data sets. The fee should provide reasonable cost recovery of the personnel time required for reviewing the request and determining the estimate of costs to produce the requested limited data set. It is recommended that the application fee be collected at the time the Request for Limited Data Set is submitted to avoid after the fact billing or collection efforts. Consideration of fee structures must address implications for research studies that are federally funded.]

2.2

The facility may establish a fee schedule to compensate for the use of personnel, time, software, hardware, and supplies for:

2.2.1	Reviewing requests for limited data sets (Application Fee);
2.2.2	Generating the limited data set; and
2.2.3	Other specified activities related to the production and delivery of the limited data set.

2.3

The facility should consider establishing a basis for fees related to the production of a limited data set. The fee should capture costs related to personnel time, computer usage, and supplies. In the event the initial review results in an approval to create the limited data set, a determination of the cost to produce the data set should be made and communicated to the requestor.

3.0

Improper Use or Disclosure of Limited Data Sets

3.1

The facility is not in compliance with this policy and the HIPAA Privacy Rule if it knows of a pattern of activity or practice by the limited data set recipient that constitutes a material breach or violation of the Data Use Agreement, unless the facility takes reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful:

3.1.1	Discontinues disclosure of PHI to the recipient; and
3.1.2	Reports the problem to the Secretary of the Department of Health and Human Services (DHHS).

3.2

The facility is not in compliance with this policy and the HIPAA Privacy Rule if the facility receives a limited data set and violates the Data Use Agreement.

4.0

Responsibilities

4.1

The facility is responsible for ensuring that requests for and disclosure of limited data sets are handled consistently. The facility shall appoint persons to be responsible for:

4.1.1	Obtaining a signed Data Use Agreement from the recipient of the limited data set to protect the information;
4.1.2	Notifying requestors in writing of approved and denied requests for limited data sets;
4.1.3	Routing approved requests to the facility designated personnel or business associate for processing;
4.1.4	Documenting the delivery of the limited data set to the approved recipient.
4.1.5	Approving the request for de-identified information;
4.1.6	Reviewing and denying or approving all requests for limited data sets for research purposes and documenting a waiver of the authorization for the purposes of the research; and
4.1.7	Creating limited data sets from PHI as described in section Creating Limited Data Sets above.

REFERENCES:

45 C.F.R. § 164.514(e)