The
HITECH Act modifies the HIPAA Privacy Rule requirement so that covered entities
will be complying if the PHI access, use, and disclosure are limited to either
the minimum necessary or a "limited data set." The HIPAA Privacy Rule
previously required that access to and disclosure of protected health
information (PHI) be limited to the minimum necessary, with some exceptions,
such as for treatment.
The Privacy Rule does permit a covered entity to use and
disclose PHI in a limited data set. This can be done without the individual
authorization for research, public health, and the covered entity's healthcare
operations. A limited data set must not include any direct
identifiers for the individual, relatives, household members, or employers, including
name, address, telephone, fax, e-mail, social security number, full-face photos,
certificate/license number, vehicle identifiers, and serial numbers, and URLs
and IP addresses.