Site icon Legally Firm

Limited Data Sets and HIPAA

In specific circumstances, HIPAA covered entities are allowed to share sets of identifiable healthcare information, known as limited data sets, with authorized institutions and remain in compliance with the HIPAA Privacy Rule. In such cases, data can be shared for research, public health information, and healthcare operations without obtaining permission from patients.

Limited data sets contain identifiable protected information and they should not be confused with de-identified protected health information. Where HIPAA does not consider de-identified protected health information to be the same as protected health information (PHI), limited data sets are still seen as PHI and are subject to the HIPAA Privacy Rule.

Covered entities can only give HIPAA limited data sets with organizations that they have signed data use agreements with. The purpose of the agreement is to bind the partner organization to only using the PHI for permitted reasons, to not allow the PHI to be shared with other parties, and to ensure the HIPAA Privacy Rule will be respected.

PHI cannot be shared until a data use agreement is in place. The agreement should define:

The entire data transaction is subject to the Minimum Necessary Standard, meaning that only the minimum data needed to conduct the research or other authorized activity is to be shared.

What Information is to be Redacted From a HIPAA Limited Data Set?

While limited data sets can contain identifiable healthcare information, the following types of data must be removed before sharing:

Exit mobile version