A HIPAA Limited Dataset is a set of identifiable healthcare information from which specific direct identifiers have been removed in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It allows for the use and disclosure of PHI for certain purposes, such as research, without obtaining individual patient authorization, while still providing a degree of privacy protection.

The following direct identifiers of the individual or of relatives, employers, or household members of the individual must be removed for the information to qualify as a limited dataset:

  1. Names
  2. Postal address information (other than town or city, state, and ZIP Code)
  3. Telephone numbers
  4. Fax numbers
  5. Electronic mail addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers, including license plate numbers
  12. Device identifiers and serial numbers
  13. Web Universal Resource Locators (URLs)
  14. Internet Protocol (IP) address numbers
  15. Biometric identifiers (e.g., fingerprints, voiceprints)
  16. Full face photographic images and any comparable images

Here are some key characteristics and considerations related to HIPAA Limited Data Sets

  • Limited Information: A Limited Data Set contains a subset of patient information that excludes direct identifiers such as names, postal addresses, phone numbers, email addresses, social security numbers, and medical record numbers. However, it may still include some indirect identifiers like dates (birthdates, admission dates), geographic information (city, state, zip code), and unique identifying numbers.

  • Permitted Uses: Covered entities (healthcare providers, health plans, or healthcare clearinghouses) can use or disclose Limited Data Sets for specific purposes without obtaining individual authorization from patients. These purposes typically include research, public health activities, and healthcare operations.
  • Data Use Agreements: Covered entities must enter into a Data Use Agreement (DUA) with any party receiving the Limited Data Set. The DUA is a legal contract that specifies how the recipient can use and disclose the data, the security measures they must implement, and restrictions on re-identifying individuals.
  • Minimum Necessary Requirement: Covered entities are still subject to the “minimum necessary” requirement when using or disclosing Limited Data Sets. This means they should only use or disclose the minimum amount of PHI necessary to accomplish the intended purpose.
  • Security Safeguards: While Limited Data Sets do not contain direct identifiers, they still represent sensitive information, and covered entities must implement reasonable safeguards to protect them from unauthorized access or disclosure.
  • Retention Period: Covered entities must retain documentation of the Limited Data Set use and disclosure for at least six years, as the HIPAA Privacy Rule requires.

Limited Data Sets are designed to balance the need for privacy protection with the need for certain healthcare-related activities, such as research and public health reporting. By excluding direct identifiers, they reduce the risk of patient re-identification while enabling valuable uses of health information for authorized purposes. However, it’s essential for covered entities and their partners to adhere to HIPAA regulations and Data Use Agreements when handling Limited Data Sets to ensure patient privacy and compliance.