1
HIPAA-G04
Limited Data Set and Data Use Agreement
Guidance
Scope
Reason for the Guidance
Guidance Statement
ADDITIONAL DETAILS
Additional Contacts
Web Address
Forms
Related Information
History
Effective: July 1, 2014
Last Updated: January 12, 2016
Responsible University Office:
HIPAA Privacy and Security Office
Responsible University Administrator
Vice President for University Clinical Affairs
Contact:
University HIPAA Privacy Officer
University HIPAA Security Officer
Scope
This guidance applies to all personnel, regardless of affiliation, who create, access or store
Protected Health Information (“PHI”) under the auspices of Indiana University, designated for
purposes of complying with the final provisions of the security and privacy rules regulated by the
Health Insurance Portability and Accountability Act (HIPAA) and the Health Information
Technology for Economic and Clinical Health (HITECH) Act. Please refer to the HIPAA Affected
Areas document for a full list of units impacted within Indiana University.
This guidance supplements the Human Subjects Office Standard Operating Procedures and
HIPAA-P06, Use and Disclosure of De-identified Data and Limited Data Sets.
Reason for Guidance
Indiana University is committed to protecting the privacy of health information as required under
the HIPAA Privacy and Security Rules. HIPAA states PHI can only be used for research
purposes pursuant to a HIPAA Authorization, a Privacy Board approved Waiver of Authorization
or if an exception applies. One exception is the use of data in the form of a Limited Data Set
(LDS) pursuant to a Data Use Agreement (DUA). A DUA or document with similar language is
GUIDANCE CONTENTS
2
required even if the subjects of the data are patients of the covered entity or providers in the
covered entity who are the data recipient(s).
A covered entity can use and disclose information in the form of a limited data set without the
individual’s authorization for purposes of research, public health or healthcare operations
provided the data are released in conjunction with a Data Use Agreement. The Data Use
Agreement ensures the proper protections are applied to the data as required under HIPAA.
Definitions
See Glossary of HIPAA Related Terms for a complete list of terms.
Guidance Statement
If an entity will be using, sending or receiving data in the form of a limited data set a Data Use
Agreement must be signed by each party, the owner of the data and the recipient, prior to
sharing the data.
I. Limited Data Set
A. A limited set is information from which “facial” identifiers have been removed. Specifically,
as it relates to the individual or his or her relative, employers or household members, all of
the following identifiers must be removed in order for health information to be a “limited
data set”:
1. Names.
2. Street addresses or RR numbers (other than town, city, state and zip code)
3. Telephone numbers
4. Fax numbers
5. E-mail addresses
6. Social Security numbers
7. Medical record numbers
8. Health plan beneficiary numbers
9. Account numbers
10. Certificate/license numbers
11. Vehicle identifiers and serial numbers, including license plate number
12. Device identifiers and serial numbers
13. Web Universal Resource Locators (URLs)
14. Internet Protocol (IP) address numbers
15. Biometric identifiers (including finger and voice prints).
16. Full-face photographic images.
B. Health information that may remain in the information disclosed includes:
1. Dates such as date of birth, date of death, and admission, discharge, service dates;
2. City, state, five digit zip code;
3. Gender, ethnicity;
4. Ages in years, months, days or hours; and
5. Unique identifying numbers, characteristics or codes provided the unique identifiers
cannot reasonable be used to identify an individual
3
II. Completing a Data Use Agreement (DUA)
When an individual, School/Department/Unit/Area within Indiana University will be using,
sending or receiving data in the form of a limited data set as defined above, the parties
involved must enter into a Data Use Agreement (DUA).
It is the responsibility of the individual or School/Department/Unit/Area using, sending or
receiving data in the form of a limited data set to ensure the DUA is reviewed and accepted
by all parties involved.
Research Purposes
Questions regarding a DUA for research purposes should be addressed to the staff in the
Human Subjects Office. As deemed necessary they may refer you to the University HIPAA
Privacy Officer.
The DUA should be reviewed by the Human Subjects Office, the University HIPAA Privacy
Officer, the individual or School/Department/Unit/Area using, sending or sharing the data as
well as any external parties who may use, send or receive the data.
Public Health or Health Care Operations
Questions regarding a DUA for purposes other than research should be addressed to the
University HIPAA Privacy Officer.
The DUA should be reviewed by the University HIPAA Privacy Officer, the individual or
School/Department/Unit/Area using, sending or sharing the data as well as any external
parties who may use, send or receive the data.
Template DUAs can be found on the Human Subjects website:
http://researchcompliance.iu.edu/hso/hs_forms.html
A. Data sent outside of Indiana University: IU is the covered entity sharing PHI in the form of a
limited data set with an organization outside Indiana University.
Data Use Agreement Template IU CE Dec 2013
Complete the sections highlighted in yellow:
1. Date and Parties involved in the agreement (page 1 top section)
Enter: the day of the month, month and year into the agreement
Enter: The Trustees of Indiana University on behalf of the unit or department and
the PI’s name or other Recipient (could include a specific individual such as the PI
or a project lead)
2. Definition/description of the limited data set (page 1 – Section I)
Enter: a meaningful description of the data to be shared. (e.g. city, state, dates of
service, diagnosis, age, sex, ethnicity, etc.) This information is used to ensure the
data are in the form of a limited data set.
3. Study/Project Title and IRB Protocol number, if applicable (page 2 – Section II-3.)
Enter: IU’s study information or Project information
Enter Recipient’s study/project information (e.g. IRB study number) This
information will be used to ensure the proper permissions have been obtained,
as required.
4. Persons or class of persons permitted to use or receive the data
(page 2 – Section III-1.)
4
List the data recipients, individual names or class of individuals (e.g. study team
members for study listed above)
5. Secure methods for sharing data (page 2 – Section III-2.)
Provide specific method data will be shared with other institution (e.g. slashtmp,
encrypted email, encrypted file transfer)
Note electronic sharing of data must be encrypted.
6. Contact from each entity (page 2 – Section IV-1.)
In case there is a breach of other notification is required must list contact information
Contact at IU including contact information such as email address
Contact at data recipient including contact information
7. Termination Date (page 3 – Section VI-3.)
Specific Date or event agreement will terminate
This agreement must have some timeframe for termination, but can be renewed if
necessary (It is not like an authorization, so cannot be indefinite)
8. Signatures will be required from the University HIPAA Privacy Officer and the Recipient
or the authorized representative of the Recipient.
B. IU Data used within Indiana University: Group uses data in the form of a limited data set,
data is from own patients’, IU, IUHP or Practice Plan.
Data Use Agreement Template IU Internal Dec 2013
Complete the sections highlighted in yellow:
1. Enter the PI’s Name or other Recipient (if not for research), printed or typed, (page 1,
top)
2. Check how the limited data set will be used (research, public health or health care
operations)
3. Enter a meaningful description of the data to be shared. This information is used to
ensure the data are in the form of a limited data set. (page 1)
4. Enter how data will be shared and stored securely (page 1, middle)
5. Enter begin and end date for study or an event (page 2, top)
6. Enter IRB assigned number and Study Title if being used for research purposes or a
meaningful description of the use if not for research purposes (page 2, top)
7. Signatures will be required from a representative of the Department such as the HIPAA
Liaison/Privacy Officer, the Principal Investigator or other recipient as well as the
University HIPAA Privacy Officer.
C. IU is the data recipient receiving data in the form of a limited data set from an organization
outside Indiana University. If not provided a DUA use
Data Use Agreement Template IU Recipient Dec 2013
Complete the sections highlighted in yellow:
1. Date and Parties involved in the agreement (page 1 top section)
Enter the day of the month, month and year entered into the agreement
Enter the name of the Covered Entity sharing the information with IU, may also be
on behalf of a specific person within that organization.
The Trustees of Indiana University on behalf of the unit or department and the PI’s
name or other Recipient (the person or group who will be the actual recipient).
2. Definition/description of the limited data set (page 1 – Section I)
5
Enter a meaningful description of the data to be shared. This information is used to
ensure the data are in the form of a limited data set.
3. Study Title and IRB Protocol number or Project information (if not for research) (page 2
– Section II-3.)
Enter IU’s study information
Enter Recipient’s study information (acts as documentation recipient has proper
approvals
4. Persons or class of persons permitted to use or receive the data (page 2 – Section III-
1.)
List the IU data recipients, individual names or class of individuals (e.g. study team
members for IU study listed above)
5. Secure methods for sharing data (page 2 – Section III-2.)
Provide specific method data will be share with other institution (e.g. slashtmp,
encrypted email, encrypted file transfer)
Note electronic sharing of data must be encrypted.
6. Contact from each entity (page 2 – Section IV-1.)
In case there is a breach of other notification is required must list contact information
Contact at covered entity including contact information such as email address
Contact at IU (recipient) including contact information
7. Termination Date (page 3 – Section VI-3.)
Specific Date or event agreement will terminate
This agreement must have some timeframe for termination, but can be renewed if
necessary (It is not like an authorization, so cannot be indefinite)
8. Signatures will be required from the authorized representative of the Covered Entity
providing the data, the IU Recipient of the data (PI) as well as the University HIPAA
Privacy Officer.
D. IU is the data recipient receiving data the form of a limited data set from an organization
outside Indiana University. If a DUA is provided:
Complete the document to the best of your ability. The Human Subjects Office with
assistance from the University HIPAA Privacy Officer will review and provide a redlined
version to be submitted to the Covered Entity by the group requesting the data.
1. Recipient information – IU will be the recipient if the research or use of the limited data
set is under the auspice of Indiana University: The recipient on the DUA will be listed as:
The Trustees of Indiana University on behalf of [Department/Unit & PI or other Recipient
Name]
2. Signatures are typically required from the authorized representative of the Covered
Entity (the authorized representative of Indiana University is the University HIPAA
Privacy Officer) as well as the PI or representative of the Data Recipient group.
III. Obtaining Signatures
Only an authorized representative can sign on behalf of Indiana University. Currently the
University HIPAA Privacy Officer is the authorized representative who signs Data Use
Agreements on behalf of Indiana University. Principal Investigators or other representatives
of a School/Department/Unit/Area do not have signature authority.
It is the responsibility of the individual or School/Department/Unit/Area using, sending or
receiving data in the form of a limited data set to ensure all appropriate signatures are
6
obtained. Once signatures are obtained, a scanned copy should be sent to the University
HIPAA Privacy Officer. The original should be retained by the individual or
School/Department/Unit/Area.
Once the agreement has been reviewed and accepted by all parties:
A. IU is the covered entity sharing PHI in the form of a limited data set
1. Obtain the signature of the official representative from the recipient;
2. Obtain the signature of the University HIPAA Privacy Officer
B. IU Data in the form of a limited data set used within Indiana University
1. Obtain the signature of a representative of the School/Department/Unit/Area who holds
the data (e.g. Privacy Officer, HIPAA Liaison, administrator);
2. Obtain the signature of the PI or representative of the group using the data;
3. Obtain the signature of the University HIPAA Privacy Officer
C. IU is the Recipient of the limited data set
1. Obtain the signature of the PI or representative of the group receiving the data;
2. Obtain the signature of the University HIPAA Privacy Officer;
3. Obtain the signature of the authorized representative from the Covered Entity providing
the limited data set
IV. Reporting an Incident
In the event any data in the form of a limited data set may be at risk for improper use or
disclosure, the individual or School/Department/Unit/Area should immediately notify the
University HIPAA Privacy and/or Security Officers.
If this Data Use Agreement is for research purposes, you must also contact the Human Subjects
Office.
Notification should be made if:
Data were sent in an unsecured manner (e.g. via unencrypted email, unencrypted thumb
drive);
Data were sent to the wrong person;
Data stored on an unencrypted laptop;
Device used for storing data is lost or stolen;
Data in paper form unaccounted for or missing
Forms
Attachment 1 – Data Use Agreement Template IU CE Dec 2014
Attachment 2 – Data Use Agreement Template IU Internal June 2014
Attachment 3 – Data Use Agreement Template IU Recipient Dec 2013
Related Information
HIPAA Privacy and Security Rules
45 CFR §§ 160 and 164
7
HITECH Act - Amended
45 CFR §§ 160 and 164
Related IU Policies
HIPAA-G01 HIPAA Sanctions Guidance
HIPAA-P01 Uses & Disclosures of Protected Health Information Policy
HIPAA-P02 Minimum Necessary Policy
PA/SS 6.4 Corrective Action Policy (non-union)
University HIPAA Privacy and Security Compliance Plan
IRB SOPs IU Standard Operating Procedures for Research Involving Human Subjects –
Section 3.3.1.2 Limited Data Set
History
11/12/2013 Draft to HIPAA Privacy and Security Compliance Council
07/01/2014 Final
01/12/2016 Updated Definitions Section, corrected URL
