limited data set (HIPAA)

HIPAA's Privacy Rule makes provisions for a "limited data set," authorized only for public health, research, and health care operations purposes.

A limited data set must have all direct identifiers removed, including:

  • name and social security number;
  • street address, e-mail address, telephone and fax numbers;
  • certificate/license numbers;
  • vehicle identifiers and serial numbers;
  • URLs and IP addresses;
  • full face photos and any other comparable images;
  • medical record numbers, health plan beneficiary numbers, and other account numbers;
  • device identifiers and serial numbers; and
  • biometric identifiers, including finger and voice prints.

A limited data set could include the following (potentially identifying) information:

  • admission, discharge, and service dates;
  • dates of birth and, if applicable, death;
  • age (including age 90 or over); and
  • five-digit zip code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes (except street address).

Covered entities must condition the disclosure of the limited data set on execution of a "data use agreement," which

  • establishes the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research, public health, or health care operations;
  • limits who can use or receive the data; and
  • requires the recipient to agree not to re-identify the data or contact the individuals.

In addition, the data use agreement must contain adequate assurances that the recipient will use appropriate physical, technical and administrative safeguards to prevent use or disclosure of the limited data set other than as permitted by HIPAA and the data use agreement, or as required by law.

These assurances are similar to the requirements for business associate contracts. As with such agreements, the recipient is required to report to the covered entity any improper uses or disclosures of which it becomes aware.

Alternatively, if a covered entity becomes aware of a violation of the the data use agreement, it must take reasonable steps to remedy the problem or, if unsuccessful, discontinue disclosure of PHI to the recipient and report the problem to DHHS.

The minimum necessary standard governs covered entities' disclosures, and recipients' uses, of limited data sets. The covered entity may place reasonable reliance that a requested disclosure is indeed the minimum necessary for the stated purposes, or make its own determination that a lesser amount of information would be sufficient.

See also:

  
 

   © 2002-2006 Contributing authors and University of Miami School of Medicine