A Limited Data Set is a data set that is stripped of certain direct identifiers specified in the HIPAA Privacy Rule. A Limited Data Set may be disclosed to an outside party without a patient’s authorization only if the purpose of the disclosure is for research, public health, or health care operations purposes and the person or entity receiving the information signs a data use agreement (DUA) with the covered entity or its business associate.
Limited data sets may include only the following identifiers:
- Dates, such as admission, discharge, service, and date of birth (DOB)
- City, state, and zip code (not street address)
- Age
- Any other unique code or identifier that is not listed as a direct identifier.
This means that in order for a data set to be a Limited Data Set, all of the following direct identifiers as they relate to the individual or his/her relatives, employers, or household members must be removed:
- Names
- Street addresses (other than town, city, state, and zip code)
- Telephone and fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/driver’s license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- URLs and IP addresses
- Biometric identifiers
- Full face photographic images and any comparable images.
NOTE: a Limited Data Set is still Protected Health Information (PHI) under HIPAA. It is not De-Identified Data, as that term is defined under HIPAA, and thus, must be safeguarded and protected as required under the Privacy Rule. For more information about the different between Fully Identifiable Data, a Limited Data Set and a De-Identified Data Set, check out the following HIPAA Data Reference Guide.