Limited Data Set under the HIPAA Privacy Rule: Compliance Guide

Definition of Limited Data Set

A limited data set (LDS) is Protected Health Information that excludes specific direct identifiers but may retain certain geographic details and dates. Under 45 CFR 164.514(e), it remains PHI and is not fully de-identified, so HIPAA Privacy Rule Compliance and security obligations still apply.

You may use or disclose an LDS for research, public health, or health care operations. When sharing outside your organization, you must execute a Data Use Agreement that governs how recipients handle the information and prohibits re-identification or contacting individuals.

Identifiers to Remove

Direct identifiers you must remove

• Names
• Postal address information other than town or city, state, and ZIP code
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (for example, finger and voice prints)
• Full-face photographs and comparable images

What you may keep in an LDS

An LDS may include city, state, and full ZIP code; all elements of dates (for example, dates of birth, death, admission, discharge, and service); and ages, including ages over 89. Avoid including any data points that function like an identifier in your context, and apply the Minimum Necessary Standard when designing the dataset.

Permitted Uses and Disclosures

Research, public health, and operations

You may disclose an LDS for research data sharing, public health data use (for example, surveillance or quality improvement), and health care operations such as population health management or outcomes measurement. Individual authorization and IRB/Privacy Board waiver are not required when a compliant Data Use Agreement is in place.

Prohibited and limited uses

An LDS cannot be used to identify or contact individuals and generally may not be used for marketing or sale of PHI without proper authorization. Internal use by your covered entity does not require a DUA; disclosures to external recipients do.

Data Use Agreement Requirements

Required terms

• Permitted uses and disclosures of the limited data set
• Identification of who is permitted to use or receive the LDS
• Recipient will not use or disclose the LDS other than as permitted or required by law
• Appropriate safeguards to prevent unauthorized use or disclosure
• Prompt reporting to the disclosing entity of any non-permitted use or disclosure
• Flow-down: ensure agents and subcontractors follow the same restrictions
• No re-identification of the data and no contact with individuals

Recommended strengthening clauses

• Encryption in transit and at rest, role-based access, and audit logging
• Retention limits, secure disposal methods, and right to audit or request attestations
• Defined incident and breach notification timelines and cooperation duties

Relationship to Business Associate Agreement

If a Business Associate receives the LDS to perform health care operations, you may include the required DUA elements within the Business Associate Agreement or attach a standalone DUA. Ensure the combined documents satisfy both HIPAA frameworks.

Compliance with HIPAA Privacy Rule

Governance and process controls

• Map data fields and confirm all required identifiers are removed before release
• Apply the Minimum Necessary Standard to each recipient and purpose
• Maintain DUA templates, approval workflows, and a central register of active DUAs
• Train workforce members on LDS creation, disclosure criteria, and handling safeguards
• Use secure transfer channels, access controls, and routine monitoring for HIPAA Privacy Rule Compliance

Documentation essentials

Keep documented data specifications, risk reviews, DUA versions, and recipient attestations. Clearly record the lawful basis (research, public health, or operations) and the minimal elements disclosed.

De-Identification vs Limited Data Set

Key differences

• Status: De-identified data is not PHI; an LDS is still PHI and subject to HIPAA.
• Content: De-identified data removes all 18 identifiers and most granular dates/geographies; an LDS may retain dates and city/state/ZIP.
• Contracts: De-identified data does not require a DUA (though contracts are wise); an LDS requires a DUA for external sharing.
• Standards: Minimum Necessary applies to an LDS; it does not apply to de-identified data.

Choosing the right path

Use de-identification when feasible to reduce regulatory burden. Choose an LDS when date-level and location detail are necessary for valid analyses and you can enforce strong contractual and technical controls.

Breach Notification Procedures

Assess whether a breach occurred

• Confirm the incident involved an LDS (which is PHI) and whether it was “unsecured”
• Perform HIPAA’s four-factor risk assessment: data sensitivity, unauthorized recipient, whether PHI was actually viewed, and mitigation
• If the probability of compromise is not low, treat it as a reportable breach

Notification timelines and recipients

• Notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery
• Notify HHS as required; for 500 or more residents of a state or jurisdiction, also notify prominent media within 60 days
• For fewer than 500 individuals, record and submit to HHS within the required annual reporting window

Mitigation, remediation, and documentation

• Contain the incident, rotate credentials, and retrieve or delete misdirected data when possible
• Activate contractual remedies under the Data Use Agreement and update controls to prevent recurrence
• Retain investigation records, risk assessments, notifications, and corrective action plans

Conclusion

A limited data set lets you share analytically useful information while reducing privacy risk. Remove the required identifiers, apply the Minimum Necessary Standard, and govern disclosures with a robust Data Use Agreement. Pair sound contracts with technical safeguards and clear procedures, and you will support research data sharing and public health data use without compromising HIPAA obligations.

FAQs

What is a limited data set under HIPAA?

An LDS is PHI that excludes specified direct identifiers but may include city, state, ZIP code, and full dates. It can be used for research, public health, or health care operations, and external sharing requires a Data Use Agreement.

What identifiers must be removed to create a limited data set?

You must remove names; street address; phone and fax numbers; email; Social Security, medical record, health plan, and account numbers; certificate/license numbers; vehicle and device identifiers; URLs; IP addresses; biometric identifiers; and full-face photos or comparable images.

When is a data use agreement required?

A DUA is required whenever you disclose an LDS to an external recipient for research, public health, or health care operations. Internal use does not need a DUA. If a Business Associate receives the LDS, you can integrate DUA terms into the Business Associate Agreement or use a standalone DUA.

How does a limited data set differ from de-identified data?

De-identified data is not PHI and removes the full set of identifiers and granular dates/geographies; a limited data set remains PHI, may keep dates and city/state/ZIP, and requires a DUA for external sharing. Minimum Necessary continues to apply to an LDS.