In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
Health care operations do not include research and many fundraising and marketing activities. See UW-107 Uses and Disclosures of Protected Health Information for Marketing and UW-108 Uses and Disclosures of Protected Health Information for Fundraising for more information.
Applies to all members of the UW HCC.
A limited data set (commonly referred to as an “LDS”) is protected health information that excludes certain direct identifiers and can be used or disclosed without an individual’s authorization when other compliance steps are taken. The UW HCC units may use or disclose a limited data set of protected health information only for the purposes of public health activities, research, or health care operations. Such use or disclosure requires a data use agreement between the entities sharing and receiving the limited data set. This document describes how a limited data of protected health information set may be created, and how it may further be used or disclosed under the HIPAA Privacy Rule.
Other numbers, characteristics, or codes not listed as direct identifiers under HIPAA
*Whether a data set that includes other geocoding or other identifiers not listed above may qualify as a limited data set of protected health information will depend upon the circumstances. 9-digit zip codes and geocoding information which allow specificity of location to a “street” level may not be included in a limited data set of protected health information (see Federal Register, Vol. 67, No. 157, at 53235).
A UW HCC unit is not in compliance with this policy or with HIPAA regulations if the UW HCC unit knows of a pattern of activity or practice of the recipient of a limited data set of protected health information that constitutes a material breach or violation of the data use agreement, unless the UW HCC unit took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
UW–Madison Office of Compliance data use agreement templates may be found at: https://compliance.wisc.edu/policies-and-forms/.
RSP Data Use Agreement templates may be found at: https://www.rsp.wisc.edu/contracts/dtua.cfm.
09-22-2014: Effective date of the revised policy: 09-22-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
11-09-2020: Effective date of the revised policy: 11-09-2020.