The data protection rule considers the creation and maintenance of a search archive or database to be a specific search activity, but the use or subsequent disclosure of information from the database by an entity covered by the database requires separate authorization, unless the use or disclosure of PHI is authorized without authorization (see below). When a research permit is obtained, the uses and information actually provided must be consistent with the indications contained in the authorization. The signed authorization must be retained by the registered unit for six years from the date of creation or the last date it came into force, with the latest date chosen. As a result, it is possible for someone to act as a business partner for the company registered with the recipient to create the “limited dataset” from a larger set of PHI. In this case, the recipient must sign both the data usage agreement and the matching agreement. (2) Implementation specification: a limited set of data: a limited set of data is protected health information, which excludes direct identifiers of the individual or parents, employers or members of the individual`s household: a “limited data set” is information whose “face identifiers” have been deleted. These include the person or parents, the employer or their household members, all the following identifiers must be removed so that health information can be a “limited data set”: at least each DUA must contain provisions regarding: Standard accounting contains the following information for each disclosure The data protection rule does not change the affiliation requirements. , jurisdiction over issues relating to the protection of persons or other procedural matters nist.