The Bristol Observatory

              Incorporated in 1997 by John A. Pandiani, Ph.D., Sociologist 

                                             and Steven M. Banks, Ph.D., Mathematician

HIPAA

Data sets used by the Bristol Observatory for Probabilistic Population Estimation are HIPAA compliant.  The final privacy rule requires only a written agreement by TBO that it will not re-identify the data or contact the individuals.

The relevant provisions of the rule are described, and relevant quotations from the rule are provided below. 

*****************************

In 1996, the United States Congress passed the Health Insurance Portability and Accountability Act (PL 104-191) that requires the Secretary of Health and Human Services to promulgate federal regulations that protect the privacy of health information if congress had not enacted legislation in this area by August of 1999.  In December 2000, Standards for Privacy of Individually Identifiable Health Information; Final Rule (45 CFR 164) were promulgated.  Final modification of this rule was published on August 14, 2002. 

The final rule allows for the exchange of a “limited data set” that includes date of birth, gender, and geographical location for research purposes.  Exchange of data requires only, a “data use agreement'' in which the recipient of the data agrees not to re-identify the data or contact the individuals.

 ***************************** 

[Federal Register: August 14, 2002 (Volume 67, Number 157)]

[Rules and Regulations]              

[Page 53181-53273]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr14au02-32]                          

    In addition, to further protect privacy, the Department proposed to condition the disclosure of the limited data set on covered entities obtaining from the recipients a data use or similar agreement, in which the recipient would agree to limit the use of the limited data set to the purposes specified in the Privacy Rule, to limit who can use or receive the data, and agree not to re-identify the data or contact the individuals. 

[[Page 53235]]

     Final Modifications. In view of the support in the public comments for the concept of a limited data set, the Department determines that adoption of standards for the use and disclosure of protected health information for this purpose is warranted. Therefore, the Department adds at Sec. 164.514(e) a new standard and implementation specifications for a limited data set for research, public health, or health care operations purposes if the covered entity (1) uses or discloses only a ``limited data set'' as defined at Sec. 164.514(e)(2), and (2) obtains from the recipient of the limited data set a ``data useagreement'' as defined at Sec. 164.514(e)(4). In addition, the Department adds to the permissible uses and disclosures in Sec. 164.502(a) express reference to the limited data set standards.

     The implementation specifications do not delineate the data that can be released through a limited data set. Rather, the Rule specifies the direct identifiers that must be removed for a data set to qualify as a limited data set.provisions, the direct identifiers listed apply to protected health information about the individual or about relatives, employers, or household members of the individual. The direct identifiers include all of the facial identifiers proposed in the preamble to the NPRM: (1) Name; (2) street address (renamed postal address information, other than city, State and zip code); (3) telephone and fax numbers; (4) e-

The public comment generally supported the removal of this facially identifying information. 

    In addition to these direct identifiers, the Department designates the following information as direct identifiers that must be removed before protected health information will be considered a limited data set: (1) Medical record numbers, health plan beneficiary numbers, and other account numbers; (2) device identifiers and serial numbers; and (3) biometric identifiers, including finger and voice prints.  

    In response to wide public support, the Department does not designate as a direct identifier any dates related to the individual or any geographic subdivision other than street address. Therefore, as part of a limited data set, researchers and others involved in public health studies will have access to dates of admission and discharge, as well as dates of birth and death for the individual. We agree with commenters who asserted that birth date is critical for certain research, such as longitudinal studies where there is a need to track individuals across time and for certain infant-related research. Rather than adding complexity to the Rule by trying to carve out an exception for these specific situations, and other justifiable uses, we rely on the minimum necessary requirement to keep the Rule simple while avoiding abuse. Birth date should only be disclosed where the researcher and covered entity agree that it is needed for the purpose of the research. Further, even though birth date may be included with a limited data set, the Department clarifies, as it did in the preamble to the proposed rulemaking, that the Privacy Rule allows the age of an individual to be expressed in years or in months, days, or hours as appropriate.

    Moreover, the limited data set may include the five-digit zip code or any other geographic subdivision, such as State, county, city, precinct and their equivalent geocodes, except for street address. 

    Finally, the implementation specifications adopted at Sec. 164.514(e) require a data use agreement between the covered entity and the recipient of the limited data set. The need for a data use agreement and the core elements of such an agreement were widely supported in the public comment.   

    Finally, the Department amends Sec. 164.528 to make clear that the covered entity does not need to include disclosures of protected health information in limited data sets in any accounting of disclosures provided to the individual. Although the Department does not consider the limited data set to constitute de-identified information, all direct identifiers are removed from the limited data set and the recipient of the data agrees not to identify or contact the individual. The burden of accounting for these disclosures in these circumstances is not warranted, given that the data may not be used in any way to gain knowledge about a specific individual or to take action in relation to that individual.