“A `limited set of data` is a limited set of identifiable information for patients within the meaning of the data protection rules adopted under the Health Insurance Portability and Accountability Act, better known as `HIPC`. A “limited set” of information may be passed on to an external party without a patient`s permission if certain conditions are met. First, the purpose of disclosure should only be for research, health or health operations. Second, the person receiving the information must sign a data use agreement with Hopkins. This agreement has specific requirements, which are explained below. A Data Use Agreement (DUA) is an agreement that is necessary and must be entered into in accordance with the data protection rule before a limited data set (defined below) is used or disclosed to an external institution or party. A limited set of data is always Protected Health Information (PHI), and that`s why covered companies like Stanford have to enter into a data usage agreement with each recipient of a limited set of Stanford data. In order to use or disclose the deceased`s PHI for research purposes, the companies concerned are not required to obtain authorizations from the personal representative or their relatives, a waiver or modification of the authorization or an agreement for the use of the data. However, the covered company must receive written or oral assurances from the researcher seeking access to the deceased that the use and disclosure are sought exclusively for research on the IHP of the deceased; (2) written or oral statements clarifying that the IHP for which use or disclosure is requested is necessary for research purposes and (3) the death of persons at the request of the undertaking concerned; whose IHP is sought by researchers.
B. If Johns Hopkins is the recipient of the data, have you signed any counterparty contracts? If not, you are in danger! To learn more about counterparty agreements, click here. A collected entity may only use or disclose a limited set of data if the collected entity receives, in the form of a data use agreement, satisfactory assurance that the recipient of the limited data set will only use or disclose the protected health information for limited purposes. The current data protection authorization is the authorization signed by a person that allows a covered entity to use or disclose the person`s PHI for the purposes and to the recipient or recipient, as indicated in the authorization. Where authorisation is obtained for research purposes, the data protection rule requires that it relate only to a specific research study, and not to non-specific research or unspecified future projects.. . . .