Limited Data Set - HIPAA Research
In HIPAA (Health Insurance Portability and Accountability Act) subject research, a limited data set refers to health information that excludes certain direct identifiers of individuals and their relatives, household members, and employers. A limited data set of information may be disclosed to an outside party without patient's authorization if certain conditions are met:
- The purpose of the disclosure may only be for research, public health or health care operations;
- A researcher anticipating receipt of a Limited Data Set must work with their home institution to enter into a Data Use Agreement (DUA) with the institution providing the information.
For informatin to be a limited data set, all the following identifiers must be removed:
- Names;
- Street addresses (other than town, city, state and zip code);
- Telephone numbers
- Fax numbers
- E-mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate license numbers;
- Vehicle identifiers and serial numbers, including license plates;
- Device identifiers and serial numbers;
- URLs;
- IP address numbers;
- Biometric identifiers (including finger and voice prints); and
- Full face photos (or comparable images).
The health information that my remain in the information disclosed includes:
- Dates such as admission, discharge, service, date of birth, date of death;
- City, state, five digit or more zip code; and
- Ages in years, months or days or hours.
It is important to note that this information is still proteceted health information or PHI under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.
Since a limited data set is still PHI, as noted above, a Data Use Agreement (DUA) would be needed for limited data sets. For DUA inquiries, please reach out to Quinton King, for additional information.
