What is a limited data set?
HIPAA Weekly Advisor, January 3, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What is a limited data set?
A: A limited data set is PHI that includes broad geographic information and dates (such as birth, death, admission, and discharge), but excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
- Names
- Postal address information other than town or city, state, and zip code
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
A covered entity may use or disclose a limited data set without authorization only for research, public health, or health care operations of another covered entity if it enters into a data use agreement with the limited data set recipient.
The data use agreement provides assurance that the limited data set recipient will only use or disclose the PHI for limited purposes.
A data use agreement must do the following:
- Establish the permitted uses and disclosures of the information by the limited data set recipient.
- Establish who is permitted to use or receive the limited data set
- Provide that the limited data set recipient will:
a) not use or further disclose the information other than as permitted by the agreement or as otherwise required by law
b) use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement
c) report to the covered entity if it becomes aware of any use or disclosure of the information not allowed by the data use agreement
d) ensure that any agents, including subcontractors, to whom it provides the limited data set agree to the same restrictions and conditions
e) not attempt to identify the patients or contact them
Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP (http://www.bricker.com) and The Quality Management Consulting Group, Ltd. (http://www.qmcg.com). E-mail: mbaxter@bricker.com or gmcbeath@bricker.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- HealthDataInsights posts new issues for medical necessity claims
- Running an effective peer review committee meeting
- Sneak Peek: Effort underway to establish caseload benchmarks
- New FAQ posted on storing laryngoscope blades
- Q&A: Incidental disclosures and patient privacy
- Tip: Perform your own internal investigation prior to government audit
- What does case-mix index mean to you?
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- What does case-mix index mean to you?
- HHS task force: Consider privacy, security with text messages
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Tip: Correctly code bilateral pain management procedures
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- COT basics to best
- Documentation and coding for toxic metabolic encephalopathy
- Guidance and tact key to compliant, effective physician queries
- Searched