Under the HIPAA Privacy Rule, may a covered entity contract with a business associate to create a limited data set the same way it can use a business associate to create de-identified data?
Yes. See 45 CFR 164.514(e)(3)(ii). For example, if a researcher needs county data, but the covered entitys data contains only the postal address of the individual, a business associate may be used to convert the covered entitys geographical information into that needed by the researcher. In addition, the covered entity may hire the intended recipient of the limited data set as the business associate for this purpose in accordance with the business associate requirements. That is, the covered entity may provide protected health information, including direct identifiers, to a business associate who is also the intended data recipient, to create a limited data set of the information responsive to the recipients request. However, the data recipient, as a business associate, must agree to return or destroy the information that includes the direct identifiers once it has completed the conversion for the covered entity.
Related Questions
- Under the HIPAA Privacy Rule, may a covered entity contract with a business associate to create a limited data set the same way it can use a business associate to create de-identified data?
- Would a business associate contract in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule’s business associate contract requirements?
- What are a covered entitys obligations under the HIPAA Privacy Rule with respect to PHI held by a business associate during the contract transition period?
