Standard for HIPAA Limited Data Set Disclosures

1. Limited Data Set:
   1. A limited data set is Protected Health Information (PHI) that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
      1. Names;
      2. Postal address information (other than town, city, state and zip code);
      3. Telephone numbers; iv.;Fax numbers;
      4. Electronic mail addresses;
      5. Social Security numbers;
      6. Medical records numbers;
      7. Account numbers;
      8. Certificate / license numbers;
      9. Vehicle identifiers and serial numbers, including license plate numbers;
      10. Device identifiers and serial numbers;
      11. Web Universal Resource Locators (URLs);
      12. Internet Protocol (IP) address numbers;
      13. Biometric identifiers (including finger and voice prints); and xv.Full face photographic images (and comparable images).
   2. The demographic information that may remain in the limited data set includes:
      1. Dates, such as date of service, date of birth, date of death;
      2. City, state, five digit or more zip code; and
      3. Ages in years, months, days, or hours.
2. Permitted Purposes of Disclosures: Ohio University may use or disclose a limited data set only for the following three purposes:
   1. Research;
   2. Public health; or
   3. Health care operations.
3. Data Use Agreement: OU may use or disclose a limited data set only if OU obtains a data use agreement from the recipient, which contains satisfactory assurances that the limited data set recipient will use or disclose the PHI only for limited purposes.

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.