Yes. Regulations permit covered entities (usually the agency providing the data) to disclosure health information for research purposes without authorization by the research subject if the use or disclosure involves a “limited data set” and the covered entity enters into a data use agreement with the researcher. A “limited data set” is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual subjects:
- names
- postal address information, other than town or city, state and zip code
- telephone numbers
- fax numbers
- email addresses
- social security numbers
- health plan beneficiary numbers
- account numbers
- certificate/license numbers
- vehicle identifiers and serial numbers
- device identifiers and serial numbers
- web universal resources locators (URLs)
- Internet protocol (IP) address numbers
- biometrics identifiers, including finger and voice prints
- full face photographic images and any comparable images
- A limited data set may, however include other indirect identifiers, especially dates of birth, treatment, discharge, or death.
Investigators may use a limited data set for research without subject authorization if they have completed a Limited Data Use Agreement with the entity releasing the data. Investigators in this situation should complete a Form K and email the Form and the Limited Data Use Agreement to the IRB Chair. (Normally, the entity releasing the data should provide the Limited Data Use Agreement; however, if the entity does not have such a form the investigator should contact the IRB Chair for examples of acceptable forms.).
PHI can be released freely if it does not contain “individually identifiable information” as defined in the section above. PHI is not individually identified if the subject is not identified, directly or indirectly, and if the subject has no reasonable basis to believe that the information can be used to identify them.