A covered entity (Cardiology Medical Group) can use one of its own workforce to create the limited data set. The Department of Health and Human Services (DHHS) indicates that a covered entity may allow a person requesting a limited data set to create it, as long as the person is acting as a business associate of the covered entity. A business associate is someone who is not part of the covered entity’s workforce but who will use the covered entity’s PHI to perform some task on behalf of the covered entity. Examples of business associates include lawyers, accountants, and firms that analyze patient data. The covered entity (Cardiology Medical Group) must enter into a separate business associate agreement with the entity, and the agreement must meet the requirements of the Privacy Regulations. After the limited data set is created under the business associate agreement, all of the PHI, other than the PHI qualifying as the limited data set under the data use agreement, must be returned to the covered entity.
Thus, it is possible that someone at the recipient will act as the covered entity’s business associate to create the limited data set from a broader set of PHI. In such a case, the recipient must sign both the data use agreement and the business associate agreement.