Limited data sets are exempt from a patient's right to an accounting of disclosures.
What are limited data sets?
According to Section 164.514(e) of the Code of Federal Regulations, a limited data set is, “...protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual…”
The data set is the identifiable information that can be used or disclosed for research, public health, or healthcare operations without the need for consent or authorization. The set can be used in this way because it does not include any information that could be used to identify a patient or research participant.
A patient's right to the accounting for disclosure
HIPAA provides patients the right to receive an accounting of disclosures for how their protected health information (PHI) has been shared by covered entities and business associates. The accounting provides patients the ability to receive a detailed list of the instances where their PHI was disclosed as well as the reasons other than treatment that the disclosure occurred over the span of six years. The provision itself is beneficial in cases where legal, research, or public health disclosures that the patient did not provide consent for and were beyond the scope of treatment, payment, or operation.
Why limited data sets are not subject to the accounting for disclosures
According to the HHS, “...a covered entity is not required to provide an accounting for a disclosure where the only information disclosed is in the form of a limited data set, and the covered entity has a data use agreement with the public health authority receiving the information.”
The reason for this is that limited data sets are void of identifiers that could tie the information to any specific patient. It means that patients' privacy remains protected and therefore an exemption exists so that data management in research and public health is more manageable without being overburdened by the disclosure requirement set by HIPAA.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What is consent?
The agreement by patients for the PHI to be used or shared for specific purposes.
What is PHI?
Any information about health status or payment for healthcare linked to a patient.
What is TPO?
The three primary healthcare activities that do not require patient consent to share PHI under HIPAA.
Kirsten Peremore
