Definition of Limited Data Set

Version 3 01/06/2005
Definition of Limited Data Set
The “Limited Data Set”. A “limited data set” is a limited set of identifiable patient
information as defined in the Privacy Regulations issued under the Health Insurance Portability
and Accountability Act, better known as “HIPAA”. A “limited data set” of information may be
disclosed to an outside party without a patient’s authorization if certain conditions are met.
First, the purpose of the disclosure may only be for research, public health or health care
operations. Second, the person receiving the information must sign a data use agreement with
Hopkins. This agreement has specific requirements which are discussed below.
A “limited data set” is information from which “facial” identifiers have been removed.
Specifically, as it relates to the individual or his or her relatives, employers or household
members, all the following identifiers must be removed in order for health information to be a
“limited data set”:
street addresses (other than town, city, state and zip code);
telephone numbers;
fax numbers;
e-mail addresses;
Social Security numbers;
medical records numbers;
health plan beneficiary numbers;
account numbers;
certificate license numbers;
vehicle identifiers and serial numbers, including license plates;
device identifiers and serial numbers;
IP address numbers;
biometric identifiers (including finger and voice prints); and
full face photos (or comparable images).
The health information that may remain in the information disclosed includes:
Page 1 of 3
Version 3 01/06/2005
dates such as admission, discharge, service, DOB, DOD;
city, state, five digit or more zip code; and
ages in years, months or days or hours.
It is important to note that this information is still protected health information or “PHI” under
HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy
Data Use Agreements. Because a “limited data set” is still PHI, the Privacy
Regulations contemplate that the privacy of individuals will be protected by requiring covered
entities (Hopkins) to enter into data use agreements with recipients of “limited data sets”. The
data use agreement must meet standards specified in the Privacy Regulations. A data use
agreement must:
establish the permitted uses and disclosures of the limited data set;
identify who may use or receive the information;
prohibit the recipient from using or further disclosing the information, except as
permitted by the agreement or as permitted by law;
require the recipient to use appropriate safeguards to prevent a use or disclosure
that is not permitted by the agreement;
require the recipient to report to the covered entity any unauthorized use or
disclosure of which it becomes aware;
require the recipient to ensure that any agents (including a
subcontractor) to whom it provides the information will agree to the same
restrictions as provided in the agreement; and
prohibit the recipient from identifying the information or contacting the individuals.
The “limited data set” provisions also require covered entities to take reasonable steps to cure
any breach by a recipient of the data use agreement. That is, if Hopkins determines that data
provided to a recipient is being used in a manner not permitted by the agreement, it must work
with the recipient to correct this problem. If these steps are unsuccessful, Hopkins would have
to discontinue disclosure of PHI to the recipient under the data use agreement and report the
problem to the Department of Health and Human Services (“DHHS”).
Creating the Limited Data Set. A covered entity (Hopkins) may use one of its own
workforce to create the “limited data set”. DHHS also has indicated that a covered entity may
allow a person requesting a “limited data set” to create it, so long as the person is acting as a
business associate of the covered entity. A business associate is someone who is not part of
the covered entity’s workforce but who will use the covered entity’s PHI to perform some task
Page 2 of 3
Version 3 01/06/2005
on behalf of the covered entity. (Examples of business associates are lawyers, accountants,
firms that analyze patient data, etc.) The covered entity (Hopkins) must enter into a separate
business associate agreement with the entity and the agreement must meet the requirements
of the Privacy Regulations. Once the limited data set is created under the business associate
agreement, all of the PHI, other than the PHI qualifying as the limited data set under the data
use agreement, must be returned to the covered entity.
Thus, it is possible that someone at the recipient will act as the covered entity’s
business associate to create the “limited data set” from a broader set of PHI. In such a case,
the recipient will need to sign both the data use agreement and the business associate
Responsibility for Data Use Agreements.
A. When Johns Hopkins is the provider of the data:
Hopkins has drafted a data use agreement form document for use by those who wish to
disclose a “limited data set” to recipients. This template may be accessed at Click on HIPAA “Form 9: Data Use Agreement”. When Johns
Hopkins is providing the limited data set, if any material change is to be made to this Johns
Hopkins template form, or if another party’s version of a data use agreement is to be used, the
Johns Hopkins HIPAA Office must review and approve the terms of the agreement. See
HIPAA Policy template A.9.1 (at and then click on the
link for Forms/Policies for Providers). The HIPAA Office may be contacted at 410-735-6509 or
B. When Johns Hopkins is the recipient of the data:
If a Johns Hopkins researcher is the recipient of a limited data set of PHI from a non-Johns
Hopkins source, the Johns Hopkins researcher most likely will be asked to sign the other
party’s Data Use Agreement. In such instance, the Johns Hopkins researcher is responsible
for reviewing the Data Use Agreement and determining if it complies in material terms with the
Johns Hopkins Data Use Agreement template. If the other party’s Data Use Agreement differs
materially from the Johns Hopkins Data Use Agreement template, or if there is any uncertainty,
the Johns Hopkins HIPAA Office must be consulted.
Tracking/Accounting. Disclosures of a “limited data set” are not subject to the HIPAA
tracking/accounting requirements. The rationale appears to be that the marginal increase in
privacy protections that such an accounting would provide is outweighed by its burdens.
DHHS has taken the position that the privacy of individuals with respect to PHI disclosed in a
“limited data set” can be adequately protected through a signed data use agreement.
Page 3 of 3