DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses two related HIPAA Privacy Rule terms, limited data set and data use agreement. A limited data set is PHI with certain direct identifiers removed. Limited data sets are frequently disclosed by covered entities to researchers. The document governing the researcher's use and disclosure of the limited data set is not a business associate agreement, but rather a data use agreement, under which the researcher agreees to only use or disclose PHI for limited purposes.
What PHI is Contained in a Limited Data Set?
Under the HIPAA Privacy Rule, a limited data set is protected health information (PHI) that excludes certain direct identifiers of an individual, or certain direct identifiers of relatives, employers, or household members of the individual.
What is a Direct Identifier?
Under HIPAA, a direct identifier is information that relates specifically to an individual. HIPAA designates the following information as direct identifiers:
- Names
- Postal address information, other than town or city, State, and zip code
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate and license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers (including fingerprints and voice prints)
- Full-face photographic images and any comparable images
What is the Relationship Between Direct Identifiers and a Limited Data Set?
A “limited data set” is information from which the above direct identifiers ("facial information") have been removed. All of the above-listed identifiers must be removed in order for health information to constitute a limited data set.
Is a Limited Data Set Still Considered Protected Health Information?
Yes. A limited data set is still protected health information or “PHI” under HIPAA (or electronic protected health information, if in electronic form). A limited data set may still contain the following information:
1. Dates such as admission, discharge, service, DOB, DOD;
2. City, state, five-digit or more zip code; and
3. Ages in years, months or days or hours.
For a limited data set to lose its status as PHI, the above three pieces of information must be removed. At that point, what is left is de-identified patient data (health information from a medical record that has been stripped of all “direct identifiers”)—that is, all information that can be used to identify the patient from whose medical record the health information was derived, not just the 16 direct identifiers listed above.
What is the Significance of Information Comprising a Limited Data Set (LDS)?
Disclosures of a limited data set, are not subject to certain HIPAA rules. One of these is the "Accounting of disclosures of PHI" requirements. HIPAA accounting requirements mandate that a patient or research subject has the right to request a written record (an accounting) when a covered entity has made certain disclosures of that person’s protected health information (“PHI”). Limited data sets need not be included in an accounting.
Limited data sets may be used or disclosed for public health activities, healthcare operations, and research activities. When a limited data set is used for these purposes, a data use agreement is generally required. Data use agreements in the context of research are discussed below.
What is a Data Use Agreement for Research?
A data use agreement is an agreement between a covered entity and a researcher, such as a genetics researcher or infectious disease researcher. Under the HIPAA Privacy Rule, a covered entity is allowed to disclose medical information to a researcher. “Research” is defined by HIPAA as "a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to general knowledge."
The Privacy Rule permits a covered entity to disclose a limited data set to a researcher, provided that, the covered entity obtains satisfactory assurance, in the form of a data use agreement, that the limited data set recipient will only use or disclose the protected health information for limited purposes.
What Provisions Must a Data Use Agreement Contain?
A data use agreement between the covered entity and the researcher must:
- Establish the permitted uses and disclosures of such information by the limited data set recipient. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the Privacy Rule.
- Establish who is permitted to use or receive the limited data set; and
- Provide that the limited data set recipient (the researcher) will:
a. Not use or further disclose the information other than as permitted by the data use
agreement or as otherwise required by law;
b. Use appropriate safeguards to prevent the use or disclosure of the information other
than as provided for by the data use agreement;
c. Report to the covered entity any use or disclosure of the information other than as
provided for by the data use agreement;
d. Report to the covered entity any use or disclosure of the information not provided for
by its data use agreement of which it becomes aware; and
e. Not identify the information or contact the individuals who are research subjects.
Can a Business Associate Create a Limited Data Set?
The HIPAA Privacy Rule provides that a covered entity may disclose PHI to a business associate, in order for the business associate to create a limited data set. That is, the covered entity may provide protected health information, including direct identifiers, to a business associate who is also the intended data recipient, to create a limited data set of the information responsive to the recipient’s request. However, the data recipient, as a business associate, must agree to return or destroy the information that includes the direct identifiers once it has completed the conversion for the covered entity.The data use agreement between a CE and BA covers what the BA is permitted to disclose.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article