What Does a Limited Data Set Mean Under HIPAA?

A limited data set, as defined in the HIPAA Privacy Rule, is a set of identifiable healthcare data that covered entities are allowed to share with specific entities for reasons including research, public health activities, and healthcare operations without the need to obtain prior patient authorization, if specified conditions are satisfied.

Unlike de-identified protected health information (PHI), which is not classified as PHI, a limited data set is considered to be identifiable protected information. Consequently, it is governed by HIPAA Privacy and Security Rules.

A HIPAA limited data set may only be shared between entities that have a data use agreement in place. With the signed agreement, the covered entity gets a satisfactory guarantee that:

  • the data set will only be used for allowable purposes
  • the entity with which PHI is shared will ensure it is appropriately protected
  • the entity will ensure the requirements of the HIPAA Privacy Rule And HIPAA Security Rule are met

The data use agreement must be signed by the entity prior to sharing of the limited data set and should include the following information:

  • Permitted uses and disclosures
  • Authorized recipients and users of the limited data set
  • An agreement that the data won’t be utilized for contacting persons or re-identifying them
  • Require safety measures to be enforced to ensure the privacy of data and avoid prohibited uses and disclosures
  • Indicate the need to report to the covered entity any discovery of improper uses and disclosures
  • Indicate that subcontractors who need access to data must also sign a data use agreement and agree to comply with all requirements of the agreement

In all instances, the HIPAA minimum necessary standard is applicable, and the data set should only include the information that is necessary to complete the tasks for which it is shared.

Some information should be taken out of a limited data set as per HIPAA Rules. It should not include any of these data:

  • Names
  • Street addresses or postal address information except for town/city, state and zip code
  • Telephone/Fax numbers
  • E-mail addresses
  • URLs and IP addresses
  • Medical records numbers
  • Health plan beneficiary numbers
  • Social Security numbers
  • Other account numbers
  • Certificate and license numbers
  • Device identifiers and serial numbers
  • Vehicle identifiers and serial numbers, such as license plates
  • Biometric identifiers including fingerprints, voice prints and retinal scans
  • Full face photos and similar images