Because a limited data set is still PHI, the Privacy Regulations protect the privacy of individuals by requiring covered entities (Cardiology Medical Group) to enter into Data Use Agreements with recipients of limited data sets. The Data Use Agreement must meet the following standards specified in the Privacy Regulations:
•Establish the permitted uses and disclosures of the limited data set.
•Identify who may use or receive the information.
•Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law.
•Require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement.
•Require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware.
•Require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information to agree to the same restrictions as provided in the agreement.
•Prohibit the recipient from identifying the information or contacting the individuals.
The limited data set provisions also require covered entities to take reasonable steps to cure any breach by a recipient of the Data Use Agreement. If Cardiology Medical Group determines that data provided to a recipient is being used in a manner not permitted by the agreement, it must work with the recipient to correct this problem. If these steps are unsuccessful, Cardiology Medical Group must discontinue disclosure of PHI to the recipient under the Data Use Agreement and report the situation to the Privacy Office at 555-555-5555 or email@email.com.