Bypassing authorization

June 18, 2004

I'm considering doing some medical research, but want to avoid the hassle of obtaining individual authorizations from patients whose records I'll need to obtain from the hospital. Can I bypass all this paperwork without violating HIPAA?

Q:I'm considering doing some medical research, but want to avoid the hassle of obtaining individual authorizations from patients whose records I'll need to obtain from the hospital. Can I bypass all this paperwork without violating HIPAA?

A: You can ask the hospital for a "limited data set," which is medical data from which direct patient identifiers have been removed. Before sharing the information in the limited data set, the hospital will require that you sign a "data-use agreement," which specifies who may receive the information, its permissible uses, and how you intend to protect its confidentiality. A word of caution: Since the information in a limited data set still contains identifying items—such as admission and discharge dates—you may disclose it only for research purposes, or for public-health functions or healthcare operations. If you disclose such data for other reasons, you risk violating the law.