Group items tagged

A data use agreement (DUA) is an agreement required by the HIPAA Privacy Rule between a covered entity and a person or entity that receives a “limited data set” from the covered entity. Even though a limited data set excludes many direct identifiers of the individual, when such information is in the hands of non-covered entities, the Privacy Rule attempts to protect the privacy of individuals through the use of DUAs.

The first way, the "safe-harbor" method, is to remove all 18 identifiers enumerated at section 164.514(b)(2) of the regulations 1. Data that are stripped of these 18 identifiers are regarded as de-identified, unless the covered entity has actual knowledge that it would be possible to use the remaining information alone or in combination with other information to identify the subject.

1 The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed: (1) Names; (2) all geographic subdivisions smaller than a state, except for the initial three digits of the ZIP code if the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; (3) all elements of dates except year, and all ages over 89 or elements indicative of such age; (4) telephone numbers; (5) fax numbers; (6) email addresses; (7) social security numbers; (8) medical record numbers; (9) health plan beneficiary numbers; (10) account numbers; (11) certificate or license numbers; (12) vehicle identifiers and license plate numbers; (13) device identifiers and serial numbers; (14) URLs; (15) IP addresses; (16) biometric identifiers; (17) full-face photographs and any comparable images; (18) any other unique, identifying characteristic or code, except as permitted for re-identification in the Privacy Rule.

Offences against the PHIPA can result in fines up to $50,000 for individuals and up to $250,000 for corporations.