How to Create and Use a HIPAA Limited Data Set Safely

A HIPAA Limited Data Set (LDS) lets you share Protected Health Information for research, public health, and healthcare operations while reducing re-identification risk. Under the HIPAA Privacy Rule, an LDS is still PHI, so you must control who receives it, how it is used, and how it is protected.

This guide shows you how to construct an LDS correctly, document the rules in a Data Use Agreement, apply the Minimum Necessary Standard, and operate strong Data Safeguards to uphold research data privacy throughout the data lifecycle.

Identify and Remove Direct Identifiers

Start by eliminating every direct identifier about the individual and their relatives, employers, or household members. Removing these fields is what legally distinguishes an LDS from a standard PHI dataset.

• Names
• Street address and other postal address information (other than town or city, state, and ZIP code)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers, including finger and voice prints
• Full-face photographs and comparable images

Go beyond structured fields. Scan free text (notes, comments, image captions) for hidden identifiers and redact them. Review small cells (for example, rare diagnoses in tiny ZIP codes) and apply aggregation or suppression where needed to protect research data privacy.

Include Permissible Information

After removing direct identifiers, you may keep information that remains useful for analysis and operations. An LDS may retain certain geographic and temporal detail that fully de-identified data cannot, improving utility without exposing identity.

• Dates related to an individual (such as birth, death, admission, discharge, and service dates)
• Geography at city, state, and ZIP code levels (not street address)
• Age in years, including age 90 and older
• Clinical and operational fields needed for analysis (diagnoses, procedures, medications, lab values, vital signs, utilization metrics)
• Internally managed study keys held by the covered entity to link refreshes, with the crosswalk stored separately and not shared

Keep only fields that support the stated purpose. If granular values could indirectly identify someone, generalize (for example, use month instead of exact date, or 3-digit ZIP when populations are small) while preserving analytic value.

Establish a Data Use Agreement

A Data Use Agreement (DUA) is mandatory for disclosing an LDS. The DUA defines how the recipient may use the data and embeds accountability for safeguarding it under the HIPAA Privacy Rule.

• Permitted purposes: research, public health, or healthcare operations; marketing and re-contact are prohibited
• Authorized recipients and users, including any agents or subcontractors who must accept the same obligations
• Prohibition on re-identification or contacting individuals
• Required administrative, physical, and technical Data Safeguards (access controls, encryption, auditing, secure transfer)
• Incident handling: prompt reporting, mitigation, and cooperation if a suspected breach occurs
• Data management rules: version control, retention limits, and secure destruction or return at project end
• Monitoring and enforcement: audit rights, sanctions for violations, and remediation steps

Use a standardized DUA template, maintain a registry of active DUAs, and tie each dataset delivery to a specific agreement, scope, and expiration date.

Ensure Compliance with Minimum Necessary Standard

Even when sharing an LDS, you must meet the Minimum Necessary Standard: disclose only what is reasonably needed to achieve the stated purpose, and nothing more.

• Define the purpose precisely, map required variables to that purpose, and drop superfluous fields and records
• Limit time windows, geography, and cohort size to what the study or operation demands
• Adopt role-based access and least-privilege permissions; use project-specific workspaces with time-bound access
• Document the justification for every sensitive field retained and record approvals for transparency
• Use privacy-enhancing techniques (aggregation, generalization, noise addition where appropriate) to reduce exposure while preserving utility

Monitor and Enforce Compliance

Compliance is an ongoing program. Pair strong Data Safeguards with operational discipline so the LDS remains protected throughout its lifecycle.

• Technical safeguards: encryption in transit and at rest, key management, multi-factor authentication, network segmentation, endpoint hardening, and secure file transfer
• Logging and oversight: immutable audit logs, regular access reviews, anomaly detection, and periodic risk assessments
• Operational controls: workforce training, confidentiality agreements, documented SOPs, and timely patching
• Third-party governance: vet recipients, flow down obligations to subcontractors, and determine when a Business Associate Agreement is also required
• Incident response: defined playbooks, prompt containment and notification when warranted, and lessons-learned remediation
• Lifecycle hygiene: dataset versioning, scheduled reviews, and certified destruction or return at project completion

When you remove direct identifiers, control permissible content, bind use via a strong DUA, apply the Minimum Necessary Standard, and continuously monitor safeguards, you create an LDS that advances research and healthcare operations while respecting patient privacy.

FAQs.

What is a HIPAA Limited Data Set?

A HIPAA Limited Data Set is Protected Health Information that excludes specific direct identifiers but may include dates and certain geographic details. It can be used for research, public health, and healthcare operations under a Data Use Agreement, and it remains subject to the HIPAA Privacy Rule and the Minimum Necessary Standard.

How does a Data Use Agreement protect LDS data?

The Data Use Agreement specifies permitted uses, identifies who may access the dataset, prohibits re-identification and contact, requires administrative and technical safeguards, mandates incident reporting and mitigation, and sets rules for retention, auditing, and secure destruction—creating clear, enforceable obligations for the recipient.

What identifiers must be removed from a Limited Data Set?

You must remove names; street address and other postal address elements (except city, state, and ZIP); phone and fax numbers; email addresses; Social Security, medical record, health plan beneficiary, and account numbers; certificate/license numbers; vehicle and device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers (like finger and voice prints); and full-face photographs and comparable images.

How is compliance with the Minimum Necessary Standard ensured?

Define the purpose narrowly, keep only the variables and records needed to meet that purpose, restrict access by role and time, document approvals, and continuously audit use. Combine scoping with technical safeguards—encryption, logging, and segmentation—to prove that disclosure and access are truly limited to the minimum necessary.