A restricted record is a set of data that is exempt from certain direct identifiers specified in the HIPC confidentiality rule. A limited set of data may only be transmitted to an external party without a patient`s permission if the purpose of the disclosure is for research, public health or public health purposes and if the person or organisation receiving the information signs a Data Use Agreement (DUA) with the relevant entity or its counterparty. No, the disclosure of “limited data sets” is not subject to hipC disclosure obligations. The Department of Health and Human Services (DHHS) has taken the position that the protection of individuals` privacy with respect to PHI, disclosed in a “limited data set”, can be properly protected by a SINGLE DUA. 3. prohibit the recipient from using or disclosing the information, unless the agreement permits or otherwise permits; A data use agreement defines who can use and obtain the LDS, as well as the authorized use and disclosure of that information by the recipient and provides that a Data Use Agreement (DUA) is a particular type of agreement that is necessary and must be entered into under the HIPC Data Protection Rule before being used or disclosed a limited data set (defined below) from a Medical Record comes to a external institution or party to one of the three objectives: (1) research, (2) public health or (3) health institutions. A limited data set is always Protected Health Information (PHI) and, therefore, HIPAA covered entities or hybrid covered entities, such as the University of Arizona (UA), must enter into a DUA with any institution, organization, or entity to which UA discloses or transfers a limited set of data. 4. require the recipient to use appropriate security measures to prevent any unauthorized use or disclosure that is not provided for in the agreement; Limited records can only contain the following identifiers: in addition, covered or hybrid entities such as UA must take all appropriate measures to remedy a recipient`s violation of the DUA. For example, if UA learns that the data it has made available to a recipient is being used in a way that is not authorized in accordance with the DUA, notify the AU Data Protection Officer and UA will work with the recipient to resolve this issue. If these efforts are not successful, the AU would be required to stop any further disclosure of IHP to the recipient under the DUA and report the matter to the Federal Office of Health and Human Services for Civil Rights. 2. If an AU researcher is the recipient of a limited set of data from a non-AU source, the AU researcher is most likely invited to sign the other party`s DUA.
In this case, the AU researcher should consult with the contractual services that are trying to determine whether it is materially in line with the AU DUA submission. Send email@example.com an email to request a DUA. Yes, you need both a Data Use Agreement (DUA) and a counterparty agreement (Business Association Agreement, BAA), because the covered entity or hybrid covered entity (UA) makes PHI available to the recipient with direct identifiers. Therefore, a BAA would be required to transmit the direct identifiers to the recipient. Once the restricted data set has been established under the BAA, all PHI, with the exception of PHI, which are qualified as a restricted dataset in accordance with the DUA, must be returned to UA….