What are Limited Data Sets and Data Use Agreements?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Under the HIPAA Privacy Rule, a limited data set is protected health information (PHI) that excludes certain direct identifiers of an individual, or certain direct identifiers of relatives, employers, or household members of the individual. 

What is a Direct Identifier?

Under HIPAA, a direct identifier is information that relates specifically to an individual. HIPAA designates the following information as direct identifiers:

1. Names
2. Postal address information, other than town or city, State, and zip code
3. Telephone numbers
4. Fax numbers
5. Electronic mail addresses
6. Social Security numbers
7. Medical record numbers
8. Health plan beneficiary numbers
9. Account numbers
10. Certificate and license numbers
11. Vehicle identifiers and serial numbers, including license plate numbers
12. Device identifiers and serial numbers
13. Web Universal Resource Locators (URLs)
14. Internet Protocol (IP) address numbers
15. Biometric identifiers (including fingerprints and voice prints)
16. Full-face photographic images and any comparable images

What is the Relationship Between Direct Identifiers and a Limited Data Set?

A “limited data set” is information from which the above direct identifiers ("facial information") have been removed. All of the above-listed identifiers must be removed in order for health information to constitute a limited data set.

Is a Limited Data Set Still Considered Protected Health Information?

Yes.  A limited data set is still protected health information or “PHI” under HIPAA (or electronic protected health information, if in electronic form). A limited data set may still contain the following information:

1. Dates such as admission, discharge, service, DOB, DOD;
2. City, state, five-digit or more zip code; and
3. Ages in years, months or days or hours.

What is the Significance of Information Comprising a Limited Data Set (LDS)? 

Disclosures of a “limited data set," as PHI, are subject to the HIPAA Privacy Rule's use and disclosure provisions. However, limited data sets are NOT not subject to the HIPAA accounting requirements. HIPAA accounting requirements mandate that a patient or research subject has the right to request a written record (an accounting) when a covered entity has made certain disclosures of that person’s protected health information (“PHI”).  The accounting must include all covered disclosures in the six years prior to the date of the person’s request.

A covered entity may, without prior written patient authorization, disclose an LDS for public health purposes, including those that are emergency preparedness activities. To do this, the covered entity must enter into a data use agreement. 

What is a Data Use Agreement?

A data use agreement is an agreement between a covered entity and a researcher, such as a genetics researcher or infectious disease researcher. Under the HIPAA Privacy Rule, a covered entity is allowed to disclose medical information to a researcher. “Research” is defined as any systematic investigation designed to develop or contribute to generalizable knowledge. 

The Privacy Rule permits a covered entity to disclose a limited data set to a researcher, provided that, the covered entity obtains satisfactory assurance, in the form of a data use agreement, that the limited data set recipient will only use or disclose the protected health information for limited purposes.

What Provisions Must a Data Use Agreement Contain?

A data use agreement between the covered entity and the researcher must:

1. Establish the permitted uses and disclosures of such information by the limited data set recipient. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the Privacy Rule.
2. Establish who is permitted to use or receive the limited data set; and
3. Provide that the limited data set recipient (the researcher) will:

            a.  Not use or further disclose the information other than as permitted by the data use 
                 agreement or as otherwise required by law;

            b.  Use appropriate safeguards to prevent the use or disclosure of the information other 
                 than as provided for by the data use agreement;
            c.  Report to the covered entity any use or disclosure of the information other than as 
                 provided for by the data use agreement;
            d.  Report to the covered entity any use or disclosure of the information not provided for
                 by its data use agreement of which it becomes aware; and
            e.  Not identify the information or contact the individuals who are research subjects.  

Can a Business Associate Create a Limited Data Set?
The HIPAA Privacy Rule provides that a covered entity may disclose PHI to a business associate, in order for the business associate to create a limited data set. That is, the covered entity may provide protected health information, including direct identifiers, to a business associate who is also the intended data recipient, to create a limited data set of the information responsive to the recipient’s request. However, the data recipient, as a business associate, must agree to return or destroy the information that includes the direct identifiers once it has completed the conversion for the covered entity.The data use agreement between a CE and BA covers what the BA is permitted to disclose.