Limited Data Sets and HIPAA

In specific circumstances, HIPAA covered entities are allowed to share sets of identifiable healthcare information, known as limited data sets, with authorized institutions and remain in compliance with the HIPAA Privacy Rule. In such cases, data can be shared for research, public health information, and healthcare operations without obtaining permission from patients.

Limited data sets contain identifiable protected information and they should not be confused with de-identified protected health information. Where HIPAA does not consider de-identified protected health information to be the same as protected health information (PHI), limited data sets are still seen as PHI and are subject to the HIPAA Privacy Rule.

Covered entities can only give HIPAA limited data sets with organizations that they have signed data use agreements with. The purpose of the agreement is to bind the partner organization to only using the PHI for permitted reasons, to not allow the PHI to be shared with other parties, and to ensure the HIPAA Privacy Rule will be respected.

PHI cannot be shared until a data use agreement is in place. The agreement should define:

  • Approved uses and disclosures
  • Authorized recipients and users of the data
  • Assurances that the data will not be used to contact or identify patients
  • The protections to put in place to secure the confidentiality of data and prevent prohibited uses and disclosures
  • How the discovery of improper uses and disclosures should be reported to the covered entity
  • That any subcontractors that access or use the data also enter into a data use agreement and agree to comply with the terms

The entire data transaction is subject to the Minimum Necessary Standard, meaning that only the minimum data needed to conduct the research or other authorized activity is to be shared.

What Information is to be Redacted From a HIPAA Limited Data Set?

While limited data sets can contain identifiable healthcare information, the following types of data must be removed before sharing:

  • Names
  • Street or postal addresses, beyond town/city, state, and zip code
  • Telephone or fax numbers
  • E-mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Other account numbers
  • Certificate and license numbers
  • Vehicle identifiers and serial numbers, including license plates
  • Device identifiers and serial numbers
  • URLs and IP addresses
  • Biometric identifiers e.g. fingerprints, retinal scans, voice prints
  • Photographs depicting the person’s full face and similar images