Avoiding PHI Pitfalls: HIPAA Limited Data Set Rules and Best Practices

Working with protected health information is high stakes, and small oversights can create outsized risk. A HIPAA limited data set gives you a practical path to share useful information for research, public health, and health care operations while reducing re‑identification exposure.

This guide clarifies limited data set requirements, maps permitted disclosures, and outlines research data safeguards so you can maintain strong HIPAA Privacy Rule compliance without stalling analytics and innovation.

Definition of Limited Data Set

A limited data set (LDS) is PHI stripped of specific direct identifiers but still considered protected health information. Because it remains PHI, you must handle it under HIPAA and, when sharing externally, execute a data use agreement.

Direct identifiers that must be removed

• Names.
• Street address and other postal address details, except city, state, and ZIP code.
• Telephone and fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers and health plan beneficiary numbers.
• Account and certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers (for example, finger or voice prints).
• Full‑face photographs and comparable images.
• Any other unique identifying number, characteristic, or code that directly identifies an individual.

What can remain in an LDS

Unlike de‑identified data, an LDS may retain dates (such as admission, discharge, service, birth, or death) and broad geography (city, state, ZIP code). Clinical variables, diagnoses, procedures, utilization, and outcomes can be included as long as direct identifiers are removed.

Permitted Uses and Disclosures

HIPAA permits use and disclosure of a limited data set without individual authorization for three purposes: research, public health, and health care operations. These are permitted disclosures only if the recipient signs a data use agreement and you apply the minimum necessary standard.

Examples

• Research: outcomes studies, comparative effectiveness, registry analyses.
• Public health: surveillance, evaluation of prevention programs, outbreak analytics.
• Health care operations: quality improvement, population health management, cost and utilization review.

Boundaries you must respect

• No marketing, targeted advertising, or sale of data using an LDS.
• No attempts to identify or contact individuals referenced in the data.
• Apply “minimum necessary” to each element; remove fields that are not needed for the project.
• When disclosing an LDS, maintain documentation of the DUA and recipient—but note the accounting for disclosures exemption applies to LDS disclosures.

Data Use Agreement Requirements

Before an external disclosure of an LDS, the recipient must sign a data use agreement (DUA). The DUA sets guardrails around use, sharing, and safeguards.

Core DUA elements

• Define permitted uses and disclosures (research, public health, or operations only).
• Identify who may use or receive the LDS (named recipient and its agents).
• Prohibit re‑identification or contact with individuals.
• Require appropriate administrative, physical, and technical safeguards.
• Mandate reporting to the disclosing entity of any unauthorized use or disclosure.
• Flow‑down: ensure agents and subcontractors agree to the same restrictions and safeguards.
• Limit further use/disclosure to what the DUA permits.
• Return or destroy the LDS at project end; if infeasible, continue protections and limit further use.

DUA vs. BAA

A DUA governs how the recipient may use an LDS. If the recipient is performing functions or services for you that involve PHI, you may also need a business associate agreement; a DUA does not replace a BAA.

Data Elements Allowed in Limited Data Sets

Commonly included elements

• Dates tied to events (admission, discharge, service, birth, death).
• Broad location data (city, county, state, ZIP code).
• Clinical and utilization data (diagnoses, procedures, labs, medications, outcomes).
• Provider and facility identifiers (when not direct patient identifiers).

Elements you must exclude

• Contact details (name, phone, email) and precise addresses.
• Government IDs, medical record numbers, account numbers, plan IDs.
• Device IDs, license plates, web URLs, IP addresses.
• Biometrics and full‑face images.

Practical tips to avoid pitfalls

• Scrub free text for stray identifiers before release.
• Validate ZIP codes and dates against a data dictionary to enforce minimum necessary.
• Use project‑specific study IDs generated by the recipient, not source-system record numbers.

De-Identification vs Limited Data Set

Key differences

• De‑identified data is not PHI; it falls outside HIPAA once properly de‑identified. An LDS remains PHI and stays under HIPAA.
• De‑identification via Safe Harbor removes all dates (except year) and limits geography to three‑digit ZIPs (with additional suppression for small areas). An LDS may retain full dates and five‑digit ZIP codes.
• De‑identification via Expert Determination documents a very low risk of re‑identification; an LDS relies on contractual controls (the DUA) and removal of direct identifiers.

When to choose each

• Choose an LDS when event timing and locality matter and you can manage risk contractually.
• Choose de‑identification when broad sharing is needed or recipients cannot accept DUA obligations.

Use in Research

An LDS is frequently the right balance for studies requiring dates and general location. You do not need individual authorization if you have a compliant DUA; institutional review board oversight may still be required by your organization or sponsor.

Operational checklist for researchers

• Define the hypothesis and minimum necessary data elements up front.
• Execute the DUA before any transfer; include research data safeguards, breach reporting, and retention limits.
• Store the LDS in approved, access‑controlled environments with encryption at rest and in transit.
• Prohibit downloads to unmanaged devices and log all access for auditability.
• Plan for destruction or return at project close and document that completion.

Important boundaries

• Do not recruit participants or contact patients using an LDS.
• If you later need identifiers (for linkage or follow‑up), pursue a separate HIPAA‑compliant pathway (authorization or IRB waiver) rather than stretching the DUA.

Compliance with HIPAA Privacy Rule

To maintain HIPAA Privacy Rule compliance, bake LDS governance into your privacy program and day‑to‑day operations. Treat the DUA as a living control, not paperwork.

Program controls that work

• Data mapping and approvals to enforce minimum necessary on every LDS request.
• Template DUAs with standardized permitted disclosures and flow‑down clauses.
• Access controls, encryption, monitoring, and timely incident response.
• Vendor oversight and periodic audits of recipients’ safeguards.
• Documentation lifecycle: request, approval, DUA, transfers, amendments, and close‑out.
• Leverage the accounting for disclosures exemption for LDS, but still maintain internal logs for governance.

Conclusion

A carefully constructed limited data set lets you share what research, public health, and operations genuinely require—dates, general location, and rich clinical context—without exposing direct identifiers. Pair precise scoping with a strong data use agreement and disciplined safeguards to avoid PHI pitfalls while enabling compliant, high‑value analytics.

FAQs.

What is a limited data set under HIPAA?

It is protected health information with specific direct identifiers removed—such as names, contact details, precise addresses, and full‑face images—while retaining dates and broad geography. Because an LDS is still PHI, HIPAA applies and, for disclosures, a data use agreement is required.

How does a data use agreement protect limited data set information?

A DUA contractually limits how the recipient may use and share the LDS, prohibits re‑identification or contact with individuals, requires appropriate safeguards, mandates reporting of any misuse, flows obligations to agents, and sets return/destruction terms at project end.

Are limited data sets considered de-identified data?

No. An LDS is not de‑identified; it remains PHI under HIPAA. Unlike de‑identified data, an LDS can include event dates and ZIP codes, and it may be disclosed only for research, public health, or operations under a DUA.

What uses are permitted for limited data sets without individual authorization?

HIPAA permits LDS use and disclosure for research, public health activities, and health care operations without individual authorization, provided the recipient signs a compliant data use agreement and you apply the minimum necessary standard.