Data Sharing
What kind of data or information do you need to obtain or share? When the information is about living people, the HIPAA regulations come into effect. Before you begin your research project, determine what pieces of information about living people, their cells or tissues that you will need to include in data you obtain, receive or store.
Protected Health Information is identifiable if it includes any of certain identifiers, or if it includes information from which a determined person would be able to figure out an identity. Using any PHI in research requires careful technical and physical protections.
If the PHI is obtained internally, through collection of information within the lab doing the research, the information must be protected from inadvertent access by an untrained, and/or unauthorized individual. (See protection guidelines​)
IF the PHI is to be obtained from, or to be shared with, an entity external to the lab doing the research, completion of a Business Associate Agreement (BAA), prior to beginning the research project, is required.
To be sure of your process, use the "BAA Decision Tree."
De-Identified Information is data from which all of the 18 "identifiers" have been removed, and it is not subject to HIPAA.
Please note that the number 18 opens the possibility to other information, which can sometimes be subjective, and has some implications with respect to research. Please contact the Privacy Officer for assistance in determining category of additional information not clearly named in the list of identifiers.
A Limited Data Set (LDS) is health information that excludes certain direct identifiers​ (listed below).
LDS may include city, state, ZIP code, elements of date and other numbers, characteristics or codes not listed as direct identifiers.
Use of a limited data set​ requires completion of a Data Use Agreement (DUA) prior to beginning the research project.
Working with a Limited Data Set (LDS)
A Limited Data Set (LDS) for health information excludes certain direct identifiers (listed below). A LDS may include city; state; ZIP code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers. The direct identifiers listed in the Privacy Rule's limited data set provisions apply both to information about the individual and to information about the individual's relatives, employers or household members.
The following identifiers must be removed from health information for the data to qualify as a limited data set:
Names
Street addresses (other than town, city, state and zip code)
Telephone numbers
Fax numbers
E-mail addresses
Social Security numbers
Medical records numbers
Health plan beneficiary numbers
Account numbers
Certificate license numbers
Vehicle identifiers and serial numbers, including license plates
Device identifiers and serial numbers
URLs
IP address numbers
Biometric identifiers (including finger and voice prints)
Full face photos (or comparable images)
Data Sharing Request Form
The data sharing request online form should be used for the submission of data-related requests. Upon submission of the form, the Office of Regulatory Compliance will automatically be notified of your request and someone will be in touch with you soon.
Please direct any separate communications regarding data sharing requests/agreement to [email protected].