A limited data set as defined in HIPAA is a group of identifiable healthcare data that the HIPAA Privacy Rule permits covered groups to share with certain groups for research purposes, public health activities, and healthcare operations without obtaining earlier authorization from patients, if certain conditions are adhered to.
Different to de-identified protected health information, which is no longer classified as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still governed by HIPAA Privacy Rule regulations.
A HIPAA limited data set can only be distributed to groups that have signed a data use agreement with the covered body. The data use agreement gives permission to the covered entity to obtain satisfactory assurances that the PHI will only be used for specific reasons, that the PHI will not be made accessible with the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be adhered to.
The data use agreement, which must be completed before prior to the limited data set being shared, should list the following:
- Permissible uses and disclosures
- Approved recipients and those using the information
- An agreement that the information will not be used to contact people or re-identify them
- Require security measures to be put in place to ensure the confidentiality of data and stop prohibited uses and disclosures
- List the discovery of improper uses and disclosures must be made known with the covered entity
- List all subcontractors need to access or use the data also enter into a data use agreement and agree to comply with its requirements.
In every instance, the HIPAA minimum necessary standard is relevant, and information in the data set must be restricted to only the data necessary to perform the purpose for which it is shared.
What Data Must be Taken Off from a Limited Data Set Under HIPAA?
Under HIPAA Rules, a limited data set cannot include any of the following details:
- Home address details or postal addresses with the exception of town/city, state and zip code
- Contact phone/Fax numbers
- Social Security information
- Medical history numbers
- Health plan beneficiary subscriber numbers
- Other account details
- Certificate and license details
- Vehicle identifying details and serial numbers such as license plates
- Device identifying details and serial number information
- Website addresses and IP addresses
- Biometric identifying details including fingerprints, retinal scans and voice prints
- Complete face photos and comparable pictures