Limited Data Use Agreement

If a Johns Hopkins researcher is the recipient of a limited set of PHI data from a non-Johns Hopkins source, researcher John Hopkins is most likely invited to sign the agreement to use the other party`s data. In this case, researcher Johns Hopkins is responsible for verifying the data usage agreement and determining whether, materially, it complies with the Johns Hopkins Data Use Agreement model. If the other party`s data usage agreement differs significantly from that of the Johns Hopkins Data Use Agreement or is uncertain, the Johns Hopkins Office of Research Administration should be consulted. “A “limited data set” is a limited set of information about identifiable patients within the meaning of the Health Insurance Portability and Accountability Act, better known as the HIPAA. A “limited set of data” of information may be transmitted to an external office without the patient`s permission if certain conditions are met. First, the purpose of disclosure should only be for research, public health or health care. Second, the person receiving the information must sign a data usage agreement with Hopkins. This agreement contains specific requirements that are discussed below. In addition, covered companies such as Stanford must take all reasonable steps to remedy a beneficiary`s violation of the AEA.

For example, if Stanford learns that the data it has provided to a recipient is being used in a way that is not authorized by the AEC, Stanford should work with the recipient to resolve this issue. If these efforts were not successful, Stanford would be required to terminate any further disclosure of PHI to the recipient, in accordance with the AEA, and to notify the Federal Office of Health and Human Services for Civil Rights. The “limited dataset” provisions also require covered companies to take appropriate measures to remedy any breaches by a recipient of the data usage agreement. In other words, if Hopkins finds that the data provided to a recipient is being used in a way that is not authorized by the agreement, it must work with the recipient to resolve that issue. If these measures are not successful, Hopkins should terminate the transfer of PHI to the recipient as part of the data usage agreement and report the situation to the privacy office ji at 410-614-9900 or hipaa@jhmi.edu. A covered business (for example. B Stanford) can use a member of its own staff to create a “limited dataset.” On the other hand, the recipient can also establish a “limited data set” as long as the person or entity acts as a counterparty to the company concerned. The following information provides instructions on limited datasets compared to data and data usage agreements that have not been fully identified. When a covered entity is the recipient of a limited data set and violates the data usage agreement, it is presumed to have violated the data protection rule.

When the covered entity, which provides the limited data set, is aware of a recipient activity or practice model that constitutes a substantial violation or violation of the data usage agreement, the covered organization must take appropriate steps to correct inappropriate activity or practice. If the steps are not successful, the covered company must stop disclosing the PHI to the recipient and notify HHS.