In HIPAA (Health Insurance Portability and Accountability Act) subject research, a limited data set refers to health information that excludes certain direct identifiers of individuals and their relatives, household members, and employers. A limited data set of information may be disclosed to an outside party without patient's authorization if certain conditions are met:

  1. The purpose of the disclosure may only be for research, public health or health care operations;
  2. A researcher anticipating receipt of a Limited Data Set must work with their home institution to enter into a Data Use Agreement (DUA) with the institution providing the information.

 

For informatin to be a limited data set, all the following identifiers must be removed:

  • Names;
  • Street addresses (other than town, city, state and zip code);
  • Telephone numbers
  • Fax numbers
  • E-mail addresses;
  • Social Security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate license numbers;
  • Vehicle identifiers and serial numbers, including license plates;
  • Device identifiers and serial numbers;
  • URLs;
  • IP address numbers;
  • Biometric identifiers (including finger and voice prints); and
  • Full face photos (or comparable images).

The health information that my remain in the information disclosed includes:

  • Dates such as admission, discharge, service, date of birth, date of death;
  • City, state, five digit or more zip code; and
  • Ages in years, months or days or hours.

It is important to note that this information is still proteceted health information or PHI under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.

 

Since a limited data set is still PHI, as noted above, a Data Use Agreement (DUA) would be needed for limited data sets. For DUA inquiries, please reach out to Quinton King, for additional information.