HIPAA Privacy Rule: WHAT?
Limited Data Sets

A Limited Data Sets (LDS) is an exception to the Privacy Rule requirement for an authorization from the subject for research use of protected health information. A LDS lacks 16 of the 18 identifiers itemized by the Privacy Rule. Specifically, a LDS does NOT include the following identifiers:

  • Name
  • Postal address information, other than town or city, State, and zip codes;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images.

An LDS may contain, for example:

  • Dates of birth
  • Dates of death
  • Dates of service
  • Town or city
  • State
  • Zip code

The difference between a LDS and de-identified information is that a LDS may contain dates and certain geographic information associated with an individual that are absent from de-identified information.

PURPOSES FOR USE OF A LIMITED DATA SET:

A covered entity may use or disclose a LDS only for the purposes of research, public health, or health care operations (45 CFR § 164.514(e)(3)(i)).

ACTION NEEDED:

Certification for Use of a Limited Data Set:

If any of the following statements are true, please execute a Certification for Use of a Limited Data Set:

You are: (1) using a LDS that you prepared from your own data; (2) employed within the UW HCC and are using a LDS that you received from a source within the UW HCC; or (3) employed in an entity that is part of the UW ACE and you are using a LDS that you received from a source within the ACE.

Data Use Agreement:

If you are using a LDS created by a person or entity outside of the UW HCC or UW ACE and you have received a Data Use Agreement from that person or entity, then please refer to the Data Use Agreement Evaluation form for a list of elements that must be present in the agreement. Forward the agreement to RSP for signature as outlined below.

If you are disclosing a LDS to a person or entity outside of the UW HCC or UW ACE, please obtain that person’s or entity’s signature on the UW-Madison standard Data Use Agreement and forward the agreement to RSP for signature as outlined below. Please see Key Definitions for the Data Use Agreement if you are unsure about the meaning of any of the terms used in the Data Use Agreement.

In order for a Data Use Agreement to be valid, it must be signed by the appropriate institutional officials. Use of a LDS without a valid Data Use Agreement in place is a violation of the Privacy Rule. Whether you are using a UW-Madison standard Data Use Agreement, or a Data Use Agreement you received from a person or entity outside of the UW HCC or UW ACE, you must forward the agreement to RSP along with a Transmittal Form for approval and signature by a UW official authorized by the Board of Regents of the UW System to sign contracts. Once the Data Use Agreement is signed by all parties, you may begin using the LDS.

IRB REMINDERS:

Copies of data use agreements for research use of LDSs must be submitted to the IRB with applications for initial review, exemption or change of protocol. The IRB does not approve data use agreements, but needs to maintain copies in the committee files. If the purpose of the LDS involves a collaboration or a subcontract, the protocol must be approved by a UW prior to disclosure of the LDS.


Return to HIPAA Research Guide main page

Questions or comments? Contact us.
Last updated: April 23, 2004