Skip to main content

Military Health System

Important Notice about Pharmacy Operations

Change Healthcare Cyberattack Impact on MHS Pharmacy Operations. Read the statement to learn more. 

Skip subpage navigation

Definitions

Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other personal information that is linked or linkable to a specified individual.

Protected Health Information (PHI) is a subset or smaller grouping of PII and is defined as individually identifiable health information that is transmitted or maintained by electronic or any other form or medium, except as otherwise contained in employment records held by a HIPAA covered entity in its role as an employer.

Limited Data Set (LDS) is a small grouping or subset of PHI that excludes specific data elements created for the purposes of research, public health, or health care operations as set forth in the HIPAA Privacy Rule at 45 CFR 164.514(e)(2) and DoD 6025.18-R at C8.3.2.

De-identified data is information that does not identify an individual, and there is no reasonable basis to believe that the information can be used to identify an individual. The criteria for de-identified data are set forth in the HIPAA Privacy Rule at 45 CFR 164.514(b) and DoD 6025.18-R at C8.1.3.

Full Waiver enables a research project to obtain PHI about research participants without getting signed Authorizations from the participants at any point during the project consistent with the criteria set forth in the HIPAA Privacy Rule at 45 CFR at 164.512(i)(2) and DoD 6025.18-R.

Partial Waiver enables a project to obtain PHI about research participants from HIPAA covered entities without getting signed Authorizations from the participants for part of the project; that is, the partial waiver applies for a time period that is shorter than the time required for the entire research project. This time period generally expires when either access to PHI is no longer needed for completing the research project or it becomes feasible during the course of the research project to obtain an Authorization from every individual research participant. Certain criteria set forth in the HIPAA Privacy Rule at 45 CFR at 164.512(i)(2) and DoD 6025.18-R must be met.

An Altered Authorization under the HIPAA Privacy Rule and DoD 6025.18-R, is when the research project requires a need to modify or remove some, but not all, required elements from an Authorization. For example, an alteration of the Authorization might be requested to remove the element that describes each purpose of the requested use or disclosure where the identification of the specific research project would affect the results of the project.

Last Updated: July 11, 2023
Follow us on Instagram Follow us on LinkedIn Follow us on Facebook Follow us on X Follow us on YouTube Sign up on GovDelivery