HIPAA Limited Data Set (LDS): What It Is, What’s Included, and DUA Requirements

Definition of Limited Data Set

A HIPAA Limited Data Set (LDS) is Protected Health Information that has been stripped of specific direct identifiers but still contains valuable detail for analysis. Under the HIPAA Privacy Rule, an LDS remains PHI—not fully de-identified—so its disclosure requires a Data Use Agreement (DUA) and compliance with strict conditions.

Unlike fully de-identified data, an LDS can include certain geographic and date elements that preserve analytic utility. This makes it a practical middle ground for research, public health, and health care operations while maintaining privacy safeguards and a clear Re-identification Prohibition.

How an LDS differs from de-identified data

• An LDS may include city, state, ZIP code, and full dates (e.g., admission/discharge), which de-identified data cannot.
• Because it is still PHI, covered entities and business associates must apply HIPAA controls when creating, using, or disclosing an LDS.

Direct Identifiers Removed

To qualify as an LDS, the following direct identifiers of the individual (and of relatives, employers, or household members) must be removed:

• Names
• Postal address information other than town or city, state, and ZIP code
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health Plan Beneficiary Numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web URLs
• Internet Protocol (IP) addresses
• Biometric Identifiers (for example, fingerprints and voiceprints)
• Full-face photographs and any comparable images

These categories are expressly barred to reduce the risk that a recipient could identify or contact an individual.

Retained Information in LDS

An LDS can retain certain fields that are often crucial for analytics and quality improvement. This retained information increases utility while keeping direct contact and unique personal identifiers out of scope.

Elements you can keep

• Geography at the level of city, state, and 5‑digit ZIP code (but not street address).
• All elements of dates related to an individual, such as dates of birth, death, admission, discharge, and service dates.
• Age in years, including ages 90 and above (no aggregation to 90+ is required for LDS).
• Clinical and claims fields that do not directly identify a person (for example, diagnoses, procedures, medications, lab values).
• Study IDs or other codes that do not themselves disclose identity and are not derived from removed direct identifiers.
• Provider, facility, or plan identifiers, where present, since these are not direct patient identifiers.

Why these elements matter

City, ZIP, and dates enable robust time-series, geographic, and cohort analyses. They support risk adjustment, utilization tracking, and outcomes evaluation without exposing names, contact details, or images.

Permitted Uses of LDS

Covered entities may use or disclose an LDS without patient Authorization—and without an IRB/Privacy Board waiver—only for the following purposes, and only under a DUA:

• Research: observational studies, registries, health services research, and method development.
• Public health activities: surveillance, program evaluation, and population health assessment by or for authorized public health purposes.
• Health care operations: quality improvement, utilization review, benchmarking, protocol development, network management, and cost reduction initiatives.

Use is limited to what the DUA permits. Marketing, attempts to identify or contact individuals, or any use beyond the agreement are prohibited by the HIPAA Privacy Rule and the DUA’s Re-identification Prohibition.

Data Use Agreement Requirements

A Data Use Agreement is mandatory for any disclosure of an LDS. It sets binding conditions on the recipient and any downstream agents. A well‑constructed DUA should:

Specify scope and parties

• Describe the LDS (data elements, cohorts, timeframe) and the permitted uses/disclosures (research, public health, or operations).
• Identify the recipient organization and the Authorized Users who may access the data.

Impose core HIPAA obligations on the recipient

• Use and disclose the LDS only as permitted by the DUA or as required by law.
• Implement appropriate safeguards to prevent unauthorized use or disclosure.
• Report any impermissible use or disclosure to the disclosing covered entity.
• Bind any agents or subcontractors to the same restrictions and conditions.
• Not attempt re-identification and not attempt to contact any individual.

Good practice additions

• Access controls and authentication standards, including unique user IDs and role-based permissions.
• Secure transfer, storage, and encryption requirements for the LDS.
• Audit logging, incident response expectations, and retention/disposition schedules aligned with the project.

These terms operationalize the Re-identification Prohibition and make accountability clear for all Authorized Users and agents.

Safeguards and Compliance Measures

Because an LDS is still PHI, covered entities and business associates must apply the HIPAA Privacy Rule and, for electronic LDS, appropriate Security Rule safeguards. Recipients outside HIPAA coverage are still bound by the DUA’s protections.

Administrative safeguards

• Limit access to documented Authorized Users; implement least-privilege, need-to-know access.
• Provide privacy and security training specific to LDS handling and the Re-identification Prohibition.
• Appoint a data steward to oversee provisioning, use approvals, and DUA compliance.
• Conduct risk analyses and periodic reviews of datasets, approvals, and user access.

Technical safeguards

• Encrypt data at rest and in transit; use secure transfer channels and key management.
• Enforce strong authentication, session timeouts, and role-based access controls.
• Maintain audit logs for extract, query, and download events; monitor for anomalous behavior.
• Segregate LDS from fully identified PHI; prevent linkage keys that could enable re-identification.

Physical safeguards

• Protect servers and storage locations with controlled facilities and device protections.
• Apply clean-desk and screen privacy practices for any workstation accessing the LDS.
• Use secure destruction methods for media disposal in line with retention policies.

Operational controls

• Document data creation methods (e.g., identifier removal steps) and validate that only allowed fields remain.
• Apply the minimum necessary principle to the LDS content and any extracts or outputs.
• Include breach reporting pathways and timelines consistent with organizational policy and applicable law.

Conclusion

A HIPAA Limited Data Set preserves analytic power—city/ZIP and date fields—while excluding direct identifiers such as names, contact details, full-face photos, Biometric Identifiers, and Health Plan Beneficiary Numbers. With a precise DUA, strong safeguards, and diligent oversight of Authorized Users, you can use LDS data lawfully and effectively for research, public health, and health care operations.

FAQs.

What is a Limited Data Set under HIPAA?

A Limited Data Set is Protected Health Information with specific direct identifiers removed. It may still include city, state, ZIP code, and dates, so it remains PHI under the HIPAA Privacy Rule and requires a Data Use Agreement for disclosure.

What identifiers are excluded from a Limited Data Set?

Names; street address; phone, fax, and email; Social Security, medical record, and Health Plan Beneficiary Numbers; account and certificate/license numbers; vehicle and device identifiers; web URLs and IP addresses; Biometric Identifiers; and full-face photographs or comparable images.

What are the requirements for a Data Use Agreement?

The DUA must define permitted uses/disclosures; identify the recipient and Authorized Users; require safeguards; mandate reporting of improper uses/disclosures; flow down restrictions to agents; and prohibit re-identification and contacting individuals.

Can a Limited Data Set be used for research?

Yes. A covered entity may disclose an LDS for research without patient Authorization or an IRB/Privacy Board waiver, provided a compliant Data Use Agreement is in place and its terms are strictly followed.

What safeguards must be in place for Limited Data Sets?

Apply administrative, technical, and physical safeguards: role-based access for Authorized Users, encryption in transit and at rest, logging and monitoring, secure transfer/storage, training, and processes that enforce the DUA’s Re-identification Prohibition.