A restricted data set according to HIPAA is a set of recognizable healthcare info that the HIPAA Secrecy Law allows covered units to share with specific units for public health activities, research purposes, and healthcare operations without getting prior approval from patients if specific requirements are met.
Contrary to de-identified PHI, which is no more classified as PHI as per HIPAA Laws, a restricted data set according to HIPAA is still recognizable safeguarded information. For that reason, it’s still answerable to HIPAA Secrecy Rule principles.
A HIPAA restricted data set can be distributed only with units that have contracted a data use contract with the covered unit. The data use contract lets the covered unit to get satisfactory guarantees that the PHI will just be used for particular aims, that the Protected Health Information will not be revealed by the unit with which it’s shared, and that the conditions of the HIPAA Privacy Law will be respected.
The data use contract, which should be accepted before the restricted data set being distributed, must summarize the following:
- Permissible uses as well as disclosures
- Permitted users and recipients of the data
- An contract that the data will not be utilized to re-identify them or contact persons
- Require protections to be applied to make sure the privacy of data and avoid disclosures and prohibited uses
- State the detection of inappropriate uses and disclosures should be informed back to the covered unit
- Say that any contractors who are needed to use or access the data also sign a data use contract and agree to abide by its requirements.
In all circumstances, the HIPAA minimum essential standard applies, and info in the data set should be restricted to just the information essential to carry out the objective for which it is revealed.
What Information Should be deleted from a Restricted Data Set According to HIPAA?
According to HIPAA Laws, a restricted data set can’t have any of the below information:
- Postal address information or street addresses with the exclusion of state, town/city and zip code
- E-mail addresses
- Phone/Fax numbers
- Medical records numbers
- IP addresses and URLs
- Social Security numbers
- Other account numbers
- Certificate and license numbers
- Health policy beneficiary numbers
- Device symbols as well as serial numbers
- Vehicle symbols as well as serial numbers, containing license plates
- Biometric identifiers like retinal scans, fingerprints as well as voice prints
- Complete face photos as well as comparable images