A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met.
In contrast to de-identified protected health information, which is no longer classed as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still subject to HIPAA Privacy Rule regulations.
A HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific purposes, that the PHI will not be disclosed by the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be followed.
The data use agreement, which must be accepted prior to the limited data set being shared, should outline the following:
- Allowable uses and disclosures
- Approved recipients and users of the data
- An agreement that the data will not be used to contact individuals or re-identify them
- Require safeguards to be implemented to ensure the confidentiality of data and prevent impermissible uses and disclosures
- State the discovery of impermissible uses and disclosures must be reported back to the covered entity
- State that any subcontractors who are required to access or use the data also enter into a data use agreement and agree to comply with its requirements.
In all cases, the HIPAA minimum necessary standard applies, and information in the data set must be limited to only the information necessary to perform the purpose for which it is disclosed.
What Information Must be Removed From a Limited Data Set Under HIPAA?
A limited data set under HIPAA cannot contain any of the following identifiers:
- Names – including those of relatives, employers, and household members
- Street addresses or postal address information with the exception of town/city, state, and zip code
- Phone/Fax numbers
- E-mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Other account numbers
- Certificate and license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- URLs and IP addresses
- Biometric identifiers such as fingerprints, retinal scans and voice prints
- Full face photos and comparable images
Limited Data Sets: FAQs
What are the differences between a limited data set under HIPAA and de-identified protected health information?
The differences are that the content of a limited data set is still subject to Privacy Rule standards for uses and disclosures and it is necessary for a Covered Entity to enter into a data use agreement with the recipient of the limited data set prior to sharing the information with the recipient. De-identified protected health information has neither of these requirements because de-identified protected health information contains no individually identifiable health information.
What individually identifiable information can remain in a limited data set?
The list of identifiers in a limited data set can include the town, city, or state of the individual, their gender, and dates relating to the individual. Additionally, there is no requirement to remove “any other unique identifying number, characteristic, or code” as there is for de-identifying protected health information – notwithstanding that the list of identifiers for de-identifying protected health information is very out-of-date.
What is the purpose of a limited data set if most identifiers are removed?
As mentioned in the article, a limited data set under HIPAA can be used for research purposes, public health activities, and healthcare operations. Consequently, the set could be used to (for example) determine how many minors were treated in ED, establish the proportion of male vs female patients in geriatric care, or calculate what resources might be required to cope with a patient surge during a pandemic or other emergency.
Is the information left in a limited data set still protected health information?
Yes, as a limited data set includes information relating to an individual´s past, present, or future health conditions, treatments for the conditions, and payments for the treatments AND information that could be used to identify the individual, the information left in a limited data set meets the definition of protected health information in §160.103 of the Administrative Simplification Regulations.
What happens if the recipient of a limited data set misuses the information or impermissibly discloses the information?
As soon as the Covered Entity learns of any misuse or impermissible disclosure, it must conduct a risk assessment to determine whether the misuse/impermissible disclosure constitutes a notifiable data breach under the Breach Notification Rule. If so, the breach must be reported to the affected individual(s) and the HHS´ Office for Civil Rights.
The post What is a Limited Data Set Under HIPAA? appeared first on HIPAA Journal.