Guidance

Limited Data Sets

IRBMED
Aug 10, 2020 2:30 pm

Research on coded private information, or on non-identifiable information, is not regulated under the Common Rule.  However, HIPAA Privacy Rule protections apply if a coded or non-identifiable data set contains Protected Health Information (PHI) in the form of a “Limited Data Set.”

  • Applicability

    A HIPAA Limited Data Set (LDS) excludes direct identifiers but may include geographic information other than street address; dates; and other numbers, characteristics, or codes not listed as direct identifiers.

    A table showing data elements permitted in de-identified data and limited data sets is available through the References section of the Michigan Medicine Policy 01-04-342 (level-2 login required).

    HIPAA Privacy Rule permits access to PHI in the form of a Limited Data Set (LDS) if the covered entity and the limited data set recipient enter into a data use agreement (DUA). Even if the researchers requesting a limited data are members of the covered entity's workforce, a written data use agreement meeting the Privacy Rule's requirements must be in place between the covered entity and the limited data set recipient.

  • REQUIRED PROVISIONS IN THE DUA

    In the DUA, the researchers receiving the LDS provide satisfactory assurances that they will use or disclose the PHI in the data set only for specified purposes.

    1. Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
    2. Identify who is permitted to use or receive the limited data set.
    3. Stipulations that the recipient will
      1.  Not use or disclose the information other than permitted by the agreement or otherwise required by law.
      2. Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
      3. Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
      4. Not identify the information or contact the individuals.

    Michigan Medicine Policy 01-04-342 on Limited Data Sets (level-2 login required) describes implementation of these requirements.

    • Sharing LDS within U-M: Use the internal template linked from the policy
    • Sending LDS outside U-M: Use the external template linked from the policy
    • Receiving LDS from outside institutions: generally the other institution provides the DUA template.

    External DUAs (sending data to, or obtaining from, outside the University) should be processed through the Unfunded Agreement (UFA) form in eResearch Proposal Management (eRPM). ORSP Data Sharing Resource CenterUMMS Data Office for Clinical and Translational Research, and UMHS Compliance Office are available to assist with DUAs. 

  • PROCESS FOR APPLICATION

    To request review of a “Limited Data Set with Data Use Agreement," complete a new application in eResearch Regulatory Management (eRRM). Fill out system-required sections, including:

    • Question 1.8 (project summary): explain the purpose of the project, and why this requires access to PHI.
    • Section 01-1: “Activities Not Regulated…”;
    • Section 02: Link to any applicable Unfunded Agreements (UFAs), even if still in "Create Record" state
    • Section 04-1: “Research Involving Coded Private Information”;
    • Section 04-2: Yes to “limited data set?”
    • Section 24: fill out a separate line item for each data source, including
      • Question 24.5: For sharing with external institutions, upload a copy of the DUA (if not linked in a UFA).
    • Section 25-1: fill out, including
      • 25-1.3 “HIPAA authorization will not be obtained from any subjects”
      • 25-1.3.2: “Limited data set(s)”
    • Section 25-4: provide required assurances
      • Note that if PHI will be disclosed outside U-M, the eResearch system will force a DUA upload in this section (even if provided elsewhere).

    Once completed and submitted, the application will be reviewed by IRBMED Staff for clarity and completeness, then assigned to IRB Board reviewer for determination.

Questions?

Contact us at irbmed@umich.edu or 734-763-4768 / (Fax 734-763-1234)

2800 Plymouth Road, Building 520, Room 3214, Ann Arbor, MI 48109-2800

A list of IRBMED staff is available in the Personnel Directory, or view the list of Regulatory Teams.

Edited By: larkspur@umich.edu
Last Updated: April 7, 2022 9:45 AM