The IT Law Wiki

Limited data set

32,060pages on
this wiki
Add New Page
Add New Page Talk0

Definition Edit


A limited data set[1] is data with all direct identifiers removed, including:

A limited data set could include the following (potentially identifying) information:

  • admission, discharge, and service dates;
  • dates of birth and, if applicable, death;
  • age (including age 90 or over); and
  • five-digit zip code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes (except street address).

Covered entities must condition the disclosure of the limited data set on execution of a "data use agreement," which

  • establishes the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research, public health, or health care operations;
  • limits who can use or receive the data]; and
  • requires the recipient to agree not to re-identify the data or contact the individuals.

In addition, the data use agreement must contain adequate assurances that the recipient will use appropriate physical, technical and administrative safeguards to prevent use or disclosure of the limited data set other than as permitted by HIPAA and the data use agreement, or as required by law.

These assurances are similar to the requirements for business associate contracts. As with such agreements, the recipient is required to report to the covered entity any improper uses or disclosures of which it becomes aware.

Alternatively, if a covered entity becomes aware of a violation of the the data use agreement, it must take reasonable steps to remedy the problem or, if unsuccessful, discontinue disclosure of PHI to the recipient and report the problem to DHHS.

The minimum necessary standard governs covered entities' disclosures, and recipients' uses, of limited data sets. The covered entity may place reasonable reliance that a requested disclosure is indeed the minimum necessary for the stated purposes, or make its own determination that a lesser amount of information would be sufficient.

References Edit

  1. 45 C.F.R. §164.514(e).

Source Edit

  • Univ. of Miami, Miller School of Medicine, Privacy/Data Protection Project (full-text).

Also on Fandom

Random Wiki