For activities involved in the preparation of the research, the companies involved may use POS or pass them on to a researcher without a person`s permission, a waiver or a change in the authorization or an agreement to use the data. However, the target company must receive information from a researcher indicating that (1) the use or disclosure of the PPH is requested only when necessary for the preparation of a research protocol, or for similar purposes preparing for research (2) the PHI is not removed from the affected organization during the audit and (3) the PHI, for which use or access to research is required. The unit identified may allow the researcher to make these statements in writing or orally. Some of the PHI uses and disclosures authorized by the section 164.512 confidentiality rule without authorization, waiver or modification of the data authorization or agreement are summarized below. Covered companies wishing to use and disclose POs for these or other authorized purposes pursuant to Section 164.512 should consult the data protection rule for information on relevant implementation requirements. A limited set of data is described as health information that excludes certain direct identifiers listed (see below), but which may also include the city. State; Postcode; Date elements and other numbers, features or codes other than direct identifiers. The direct identifiers contained in the restricted provisions of the data protection rule apply to information about the person as well as information about the person`s parents, employers or household members. The following identifiers should be removed from health information when data is to be classified as a limited set of data: (A) determine the authorized uses and disclosures of that information by the recipient of a limited data set in accordance with paragraph (e) (3) of this section. The data usage agreement should not allow the recipient of a limited set of data to use or disclose the information in a manner that would be contrary to that party`s requirements, if it is carried out by the relevant agency; (B) A covered company, which is a limited recipient of the data set and violates a data usage agreement, violates the standards, implementation specifications and requirements of the paragraph (e) of this section. The data protection rule allows three methods of collecting research-related information that are provided without the person`s permission or a limited data set: (1) A standard approach, 2) an approach for multiple data and (3) an alternative for statements involving 50 or more people.
Whichever approach is chosen, accounting is done in writing and is made available to the requesting person. Accounting reports to the individual may contain results from several accounting methods. (C) Provide that the restricted recipient of the fact: the authorization to authorize the protection of valid data is the signed authorization of a person that allows a registered organization to use or disclose the PHI to the person for purposes, as well as to the recipient or recipient, as indicated in the authorization. When authorization is obtained for research purposes, the data protection rule requires that it only be for a specific research study, not non-specific research or unspecified future projects. The data protection rule considers the creation and maintenance of a search archive or database to be a specific search activity, but the use or subsequent disclosure of information from the database by an entity covered by the database requires separate authorization, unless the use or disclosure of PHI is authorized without authorization (see below). When a research permit is obtained, the uses and information actually provided must be consistent with the indications contained in the authorization. The signed authorization must be co-authored