13
o Not identify the information or contact the individuals.
At Columbia, a HIPAA Form F: HIPAA Data Use Agreement for Disclosure of a HIPAA
Limited Data Set for Research Purposes or another form of Data Use Agreement must be
attached to a protocol and submitted in Rascal for review when (1) the Columbia Health Care
Component will be engaged in the research, (2) the Limited Data Set originates from the
Columbia Health Care Component, (3) a waiver of authorization has not been granted and (4) the
subject did not provide authorization for the proposed use. Use of the template form in the
Rascal IRB module is recommended. If the Columbia Health Care Component is only supplying
a HIPAA Limited Data Set for research, and the providing Workforce Member is not otherwise
involved in the research, a HIPAA Data Use Agreement is required although submission of a
protocol to the IRB may not be required. When the HRPO review of the HIPAA Data Use
Agreement is completed, the researcher should forward the Agreement to the intended recipient
of the HIPAA Limited Data Set for signature, after which it must be provided to Sponsored
Projects Administration or the Clinical Trials Office for review and signature on behalf of the
University. A copy of the HIPAA Form F is attached to this Policy as Annex 6.
Note that when it is proposed that a Limited Data Set will be Used within the Columbia Health
Care Component, it is the practice of the IRB to grant a waiver of authorization if the waiver
criteria are met, rather than requiring the use of a HIPAA Data Use Agreement.
F. Research with De-identified Data
The Columbia Health Care Component may Use or Disclose PHI that is de-identified. Health
information that does not identify an individual and with respect to which there is no reasonable
basis to believe that the information can be used to identify the individual is not PHI.
There are two methods by which health information can be designated as de-identified:
Safe Harbor Method: the LDS Identifiers as well as the following elements (together, the
HIPAA Identifiers) regarding an individual or his/her relatives, employers or household
members are removed from the information;
o All geographic subdivisions smaller than a state, including street address, city, county,
precinct, zip code and their equivalent geographical codes except for the initial three
digits of a zip code if, according to the current publicly available data from the Bureau of
the Census:
< The geographic unit formed by combining all zip codes with the same three initial
digits contains more than 20,000 people; and
< The initial three digits of a zip code for all such geographic units containing 20,000 or
fewer people are changed to 000
o All elements of dates (except year) for dates directly related to an individual, including
birth date, admission date, discharge date, date of death; and all ages over 89 and all
elements of dates (including year) indicative of such age, except that such ages and
elements may be aggregated into a single category of age 90 or older