A limited data set under HIPAA is a group of identifiable healthcare data that the HIPAA Privacy Rule permits covered groups to share with certain entities for research aims, public health activities, and healthcare operations without earlier obtaining authorization from patients, if certain conditions are adhered to.
Different to, to de-identified protected health information, which is no longer referred to as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it remains subject to HIPAA Privacy Rules.
A HIPAA limited data set can only be shared with entities that have completed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific aims, that the PHI will not be shared by the entity to which it is shared, and that the requirements of the HIPAA Privacy Rule will be adhered to.
The data use agreement, which must be completed before the limited data set being shared, should outline these things:
- Permitted uses and sharing
- Approved recipients and users of the data
- An agreement that the data will not be used to get in touch individuals or re-identify them
- Safeguards must be established to ensure the confidentiality of data and prevent prohibited uses and sharing
- List the discovery of improper uses and sharing must be made known to the covered entity
- Make it known that any subcontractors who have to view or use the data also enter into a data use agreement and agree to adhere with its requirements.
In all instances, the HIPAA minimum necessary standard is in place, and information in the data set must be kept to just the information necessary to perform the purpose for which it is is shared.
What Information Must be Removed From a Limited Data Set Under HIPAA?
Under HIPAA Rules, a limited data set cannot contain any of the following information: