Limited Data Set

Protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

• Name;
• Postal address information, other than town or city, State, and zip code;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints; and
• Full face photographic images and any comparable images.

Health Care Operations

Any of the following activities of the covered entity to the extent that the activities are related to those functions the performance of which makes the covered entity a health plan, health care provider, or health care clearinghouse:

• Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment.

• Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

• Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

• Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

• Business management and general administrative activities of the entity, including, but not limited to:

  —Management activities relating to implementation of and
     compliance with the requirements of this subchapter;
  —Customer service, including the provision of data analyses for
     policy holders, plan sponsors, or other customers, provided
     that PHI is not disclosed to such policy holder, plan sponsor,
     or customer;
  —Resolution of internal grievances; and
  —Consistent with the applicable requirements of § 164.514,
     creating de-identified health information or a limited data set,
     and fundraising for the benefit of the covered entity.

Health Care Provider

A person or organization that furnishes, bills, or is paid for health care in the normal course of business.

Public Health

the HIPAA Privacy Rule does not define “public health.” Should you have questions or concerns, please consult the University’s Privacy Officer, Rebecca Hutton.

Research

A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.