A limited data set under HIPAA is protected health information that has been stripped of specified direct identifiers and that a HIPAA Covered Entity may use or disclose for research, public health activities, or health care operations under the HIPAA Privacy Rule when a compliant data use agreement is in place.
A limited data set is not de-identified information. It remains protected health information because it can include certain elements that may permit identification when combined with other data. Organizations should treat a limited data set as regulated information subject to applicable privacy and security controls, including access restrictions and online HIPAA training aligned with the organization’s policies.
The HIPAA Privacy Rule allows a limited data set to include some information that is not permitted in de-identified data, such as dates related to an individual and certain geographic information. A limited data set also can include other clinical and operational fields needed for the approved purpose. Direct identifiers must be removed, including names, full street addresses, telephone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers, full-face photographic images, and comparable identifying numbers or characteristics.
A covered entity or business associate that discloses a limited data set must have a data use agreement with the recipient. The data use agreement must establish the permitted uses and disclosures, identify who is permitted to use or receive the limited data set, and require safeguards to prevent unauthorized use or disclosure. It also must prohibit the recipient from re-identifying the information or contacting the individuals, except as allowed by the agreement and applicable law.
A limited data set can support analytics, outcomes studies, quality assessment, population health measurement, and other permitted functions where direct identifiers are not required. When the limited data set is maintained or transmitted electronically, administrative, physical, and technical safeguards under the HIPAA Security Rule apply to the covered entity or business associate that holds the data. The HIPAA Minimum Necessary Rule remains relevant when creating and disclosing a limited data set, since the included fields should align with the stated purpose in the data use agreement.
Online HIPAA Training
Online HIPAA = training supports compliant use of limited data sets by ensuring workforce members understand when a dataset remains protected health information and what conditions apply to its use and disclosure under the HIPAA Privacy Rule and the HIPAA Security Rule. Training should be assigned to employees, clinicians, contractors, volunteers, students, and temporary staff whose duties may involve creating, disclosing, receiving, or analyzing limited data sets, with onboarding training completed within three months of hire and refresher training completed annually, plus additional training when policies change, new analytics tools are deployed, or an incident occurs. Training content should cover the direct identifiers that must be removed, the permitted purposes for using or disclosing limited data sets, and the operational steps for executing and following a data use agreement, including recipient restrictions, safeguard requirements, and prohibition on re-identification or contacting individuals outside permitted terms. Knowledge checks, completion certificates, and administrative reporting support documentation and oversight.