LIMITED DATA SETS

 

When using or disclosing PHI, a DMH component may use a limited data set if the component enters into a data use agreement with the limited data set recipient providing that a limited data set not include any of the following direct identifiers of the individual who is the subject of the PHI or of relatives, employers, or household members of the individual:

Names; Postal address Information, other than town or city, State, and zip code;
Telephone numbers or Fax numbers or Electronic mail addresses;
Social security numbers or Medical record numbers;
Health plan beneficiary numbers or Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs) or Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints; or  
Full face photographic images and any comparable images.

A DMH program area may use or disclose a limited data set only if it obtains satisfactory assurance, in a memorandum of agreement, that the limited data set recipient will only use or disclose the PHI  for limited purposes.  The memorandum of agreement must:

Establish the permitted PHI uses and disclosures in the limited data set by the recipient;
Establish who is permitted to use or receive the limited data set;
Provide that the limited data set recipient will:
Not use or disclose the Information unless permitted by the agreement or as required by law;
Use appropriate safeguards to prevent improper uses or disclosures;
Report any known use or disclosure not provided for by its data use agreement;
Ensure that any agents, including subcontractors, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the PHI; and
Not attempt to identify or contact the individuals whose data are included in the limited data set.

A DMH program area may use or disclose a limited data set only for the purposes of research, public health, or health care Operations.  If the limited data set is needed for research or projects that have a research component, DMH’s Institutional Review Board (see Research policy) must approve the research project.

The DMH program area that will use or disclose the requested limited data set must determine the purpose of the request.  If the request is for research purposes or has a research component, DMH’s Institutional Review Board must first review the request.   If the Institutional Review Board approves the research, the Institutional Review Board Administrator will inform the program area that it may proceed with the memorandum of agreement as described in this policy.  If the purpose of the limited data set is for public health or health care Operations, then the DMH program area may proceed with the memorandum of agreement as described in this policy.   The DMH Privacy Officer or his/her designee must approve the memorandum of agreement before the limited data set is provided to the requestor.