Under HIPAA, a limited data set is protected health information (PHI) that excludes certain direct identifiers of an individual, or certain direct identifiers of relatives, employers, or household members of the individual.
What is a Direct Identifier?
Under HIPAA, a direct identifier is Information that relates specifically to an individual. HIPAA designates the following information as direct identifiers:
- Names
- Postal address information, other than town or city, State, and zip code
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health-plan beneficiary numbers
- Account numbers
- Certificate and license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers (including fingerprints and voice prints)
- Full-face photographic images and any comparable images
What is the Relationship Between Direct Identifiers and a Limited Data Set?
A “limited data set” is information from which the above direct identifiers have been removed. All of the above-listed identifiers must be removed in order for health information to be a limited data set.
Is a Limited Data Set Still Considered Protected Health Information?
Yes. A limited data set is still protected health information or “PHI” under HIPAA (or electronic protected health information, if in electronic form).
For patient data to lose its status as PHI, that information must be de-identified. De-identified patient data is health information from a medical record that has been stripped of all “direct identifiers”—that is, all information that can be used to identify the patient from whose medical record the health information was derived, not just the direct identifiers listed above.
Therefore, since a limited data set is PHI, is still subject to the use and disclosure requirements and restrictions of the HIPAA Privacy Rule.
What is the Significance of Information Comprising a Limited Data Set?
Disclosures of a “limited data set” are not subject to the HIPAA accounting requirements. HIPAA accounting requirements mandate that a patient or research subject has the right to request a written record (an accounting) when a covered entity has made certain disclosures of that person’s protected health information (“PHI”). The accounting must include all covered disclosures in the six years prior to the date of the person’s request.
A covered entity may also disclose a LDS for public health purposes, including those that are emergency preparedness activities. The covered entity must have a data use agreement in order to disclose the limited data set (LDS).