Does HIPAA apply to limited data sets?

Using limited data sets helps healthcare entities remain HIPAA compliant as they pursue these activities. Organizations can avoid the risks of handling full patient records by working with data that has reduced personal details.

How HIPAA defines limited data sets

The Privacy Rule, specifically Section 164.514 defined a limited data set as, “...protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual…” 

These data sets remove all direct personal identifiers, such as names, complete addresses, email addresses, and social security numbers. What remains is less identifiable information like the city, state, and relevant dates (e.g., birth or treatment dates). This allows researchers, public health officials, and healthcare operations teams to access and use this data without risking patient confidentiality.

In healthcare, limited data sets enable breakthroughs in medical research, help track disease patterns for better public health responses, and improve the effectiveness of healthcare operations through data analysis. For instance, researchers might use these sets to examine the outcomes of patients across different demographics without knowing who those patients are. Public health officials could analyze the spread of chronic disease in various zip codes to allocate resources more efficiently.

Why HIPAA compliant email should be used to share limited data sets 

Even though limited data sets exclude direct identifiers and contain less identifiable protected health information (PHI), using HIPAA compliant email to share them prevents even the narrow chance of PHI exposure. By using these secure email services, healthcare organizations can efficiently and safely share limited data sets for purposes like research, public health analysis, or healthcare operations. These systems incorporate features like advanced encryption methods and access controls. This prevents breaches, keeping sensitive health information such as treatment dates and locations confidential.

The steps to making use of limited data sets

1. Prepare the data: Remove all direct identifiers from the PHI as defined by HIPAA. This includes names, all geographic subdivisions smaller than a state (except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people), and other specific identifiers like social security numbers, phone numbers, etc.
2. Create a data use agreement (DUA): Draft and execute a DUA between the covered entity and the recipient of the limited data set. 

The DUA must:

• Establish the permitted uses and disclosures of the limited data sets, ensuring they are limited strictly to the purposes of research, public health, or healthcare operations.
• Require the recipient to ensure the data's confidentiality and security.
• Prohibit the recipient from using or disclosing the information in a manner that would violate the Privacy Rule if done by the covered entity.

1. Ensure the use of security measures: Although limited data sets are not as sensitive as full PHI, they still require protection. This could include secure databases, encryption, and access controls.
2. Use or disclose the data: Once the DUA is in place and the data is prepared and protected, the covered entity can use or disclose it according to the established purposes. 

See also: Top 12 HIPAA compliant email services

FAQs

What can limited data sets be used for?

Limited data sets can be used for research, public health purposes, and healthcare operations. These uses do not require patient authorization but must be governed by a data use agreement.

What is a data use agreement (DUA)?

A data use agreement is a legal contract between the entity providing the limited data set and the recipient. It outlines the permitted uses and disclosures of the data and ensures that the recipient will protect the privacy and security of the information.

What is the difference between a limited data set and fully deidentified data?

A limited data set removes only certain direct identifiers, while fully deidentified data removes all information that could potentially identify an individual.

Is patient authorization required to use a limited data set?

No, patient authorization is not required to use or disclose a limited data set as long as a data use agreement is in place.