Limited Data Sets

A “limited data set” is a limited set of identifiable patient information as defined in the Privacy Regulations issued under the Health Insurance Portability and Accountability Act, better known as “HIPAA”. A “limited data set” of information may be disclosed to an outside party without a patient’s authorization if certain conditions are met. First, the purpose of the disclosure may only be for research, public health or health care operations. Second, third-parties receiving the information may be required to sign a data use agreement.

A “limited data set” is information from which “facial” identifiers have been removed. Specifically, as it relates to the individual or his or her relatives, employers or household members, all the following identifiers must be removed in order for health information to be a “limited data set”:

• names;
• street addresses (other than town, city, state and zip code);
• telephone numbers;
• fax numbers;
• e-mail addresses;
• Social Security numbers;
• medical records numbers;
• health plan beneficiary numbers;
• account numbers;
• certificate license numbers;
• vehicle identifiers and serial numbers, including license plates;
• device identifiers and serial numbers;
• URLs;
• IP address numbers;
• biometric identifiers (including finger and voice prints); and
• full face photos (or comparable images).

The health information that may remain in the information disclosed includes:

•  dates such as admission, discharge, service, DOB, DOD;
• city, state, five digit or more zip code; and
• ages in years, months or days or hours.

It is important to note that this information is still protected health information or “PHI” under HIPAA.  It is not de-identified information and is still subject to the requirements of the Privacy Regulations.