What Is a Limited Data Set Under HIPAA? Definition, Examples, and Permitted Uses

A limited data set (LDS) is a form of Protected Health Information that removes specific direct identifiers yet still contains useful details like dates and limited geography. Under the HIPAA Privacy Rule, you can use or disclose an LDS for research data use, public health surveillance, or health care operations when a Data Use Agreement is in place—often without individual authorization.

Definition of Limited Data Set

Under 45 CFR 164.514(e), a limited data set is PHI stripped of particular direct identifiers of the individual, and of the individual’s relatives, household members, and employers. Unlike fully de-identified data, an LDS may retain city, state, ZIP code, and all relevant dates (for example, dates of birth, service, admission, discharge, and death).

An LDS is still PHI, so HIPAA obligations continue to apply. When used or disclosed for the permitted purposes below and governed by a Data Use Agreement, the disclosure is an authorized disclosure under the HIPAA Privacy Rule and does not require patient authorization.

What can remain in a limited data set

• Geography at the level of town/city, state, and ZIP code (but not street address).
• All elements of dates related to the individual or care episodes.
• Derived or random study IDs that are not on the removal list below and are not based on direct identifiers, subject to the Data Use Agreement.

Required Removals for Limited Data Set

To create an LDS, you must remove these direct identifiers of the individual and of relatives, household members, or employers:

• Names
• Postal address information other than town or city, state, and ZIP code (for example, street address, apartment number)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers, including finger and voice prints
• Full-face photographic images and comparable images

Ensure these identifiers are removed not only from structured fields but also from free-text notes, images, and attachments.

Permitted Uses and Disclosures

You may use or disclose a limited data set for three purposes, provided a Data Use Agreement is executed with the recipient:

• Research data use: Activities aimed at developing or contributing to generalizable knowledge (for example, observational studies, comparative effectiveness research, algorithm validation).
• Public health surveillance: Activities such as monitoring disease trends, assessing outbreak responses, or evaluating program reach at the community level.
• Health care operations: Quality assessment and improvement, outcomes evaluation, patient safety initiatives, utilization review, and payment-related analytics performed by or for a covered entity.

Key conditions

• Data Use Agreement: A DUA with the recipient is required for LDS disclosures for these purposes.
• Minimum necessary: Disclose only the minimum elements reasonably needed to accomplish the stated purpose.
• No patient authorization required: When the LDS pathway and DUA are used, individual authorization under HIPAA is typically not necessary.
• Business associate considerations: If the recipient performs functions on behalf of the covered entity, a Business Associate Agreement may also be required in addition to the DUA.

Data Use Agreement Requirements

Your DUA must, at a minimum, include the safeguards and limitations specified by the HIPAA Privacy Rule (45 CFR 164.514(e)(4)):

HIPAA-mandated elements

• Define the permitted uses and disclosures of the limited data set by the recipient.
• Identify who is authorized to use or receive the data.
• Require the recipient not to use or disclose the data other than as permitted by the DUA or as required by law.
• Require the recipient to use appropriate safeguards to prevent impermissible use or disclosure.
• Require the recipient to report any DUA violations to the covered entity.
• Bind the recipient to ensure agents/subcontractors agree to the same restrictions and conditions.
• Prohibit the recipient from identifying or contacting the individuals whose data is included.
• Require the recipient to return or destroy the limited data set when the purpose is fulfilled, or if infeasible, continue protections indefinitely.

Practical clauses to strengthen your DUA

• Data security controls (for example, encryption at rest/in transit, access management, logging).
• Retention and destruction timelines, including validation of destruction.
• Breach notification timeframes and cooperation duties.
• Audit rights and remedies for noncompliance.
• Clear rules for data linkage, derivation of study IDs, and prohibition on re-identification attempts.

Examples of Permitted Uses

• Quality improvement (health care operations): Comparing 30-day readmission rates by ZIP code to target care coordination resources.
• Patient safety (health care operations): Evaluating medication error trends by unit and service date to prioritize training.
• Population health (public health surveillance): Monitoring influenza-like illness by city and week to inform vaccine outreach.
• Program evaluation (public health surveillance): Assessing screening uptake across neighborhoods to reduce disparities.
• Outcomes research (research data use): Studying post-operative complications by procedure date across multiple hospitals.
• Comparative effectiveness (research data use): Analyzing therapy response times using admission and discharge dates.
• Utilization analytics (health care operations): Reviewing telehealth adoption by service date and ZIP code to plan access points.

Data Use Agreement Enforcement

When a recipient breaches a DUA, the covered entity must take reasonable steps to cure the breach or end the violation. If unsuccessful, you must terminate the agreement if feasible or, if termination is not feasible, report the issue to the U.S. Department of Health and Human Services.

Covered entities and business associates remain subject to HIPAA enforcement and internal sanction policies. Recipients that are not directly regulated by HIPAA face contractual remedies under the DUA (for example, suspension, termination, damages, and injunctive relief) and may be subject to other federal or state laws. If the impermissible use or disclosure compromises the privacy or security of the limited data set, HIPAA’s Breach Notification Rule may require notification to affected parties and regulators.

FAQs.

What identifiers must be removed to create a limited data set?

You must remove 16 direct identifiers of the individual and of relatives, household members, or employers: names; postal address information other than town/city, state, and ZIP; telephone and fax numbers; email addresses; Social Security, medical record, health plan beneficiary, and account numbers; certificate/license numbers; vehicle and device identifiers/serial numbers; URLs; IP addresses; biometric identifiers; and full-face photos or comparable images.

What are the permitted uses of a limited data set under HIPAA?

An LDS may be used or disclosed for three purposes: research data use, public health surveillance, and health care operations. When a Data Use Agreement is in place, these disclosures are authorized under the HIPAA Privacy Rule and typically do not require individual authorization.

What is required in a data use agreement for a limited data set?

A DUA must specify permitted uses/disclosures; who may use/receive the data; prohibit other uses/disclosures; require safeguards, violation reporting, and flow-down of restrictions to agents; ban re-identification or contact with individuals; and require return or destruction of the data when no longer needed (or continued protections if destruction is infeasible).

How are breaches of data use agreements handled?

The covered entity must attempt to cure the breach or end the violation; if unsuccessful, terminate the DUA if feasible or report the matter to HHS. Remedies may include suspension, termination, damages, and additional safeguards. If the incident constitutes a HIPAA breach, breach notification obligations may also apply.