A limited data set is a limited set of identifiable patient information as defined in the Privacy Regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). A limited data set of information may be disclosed to an outside party without a patient’s authorization if certain conditions are met. First, the purpose of the disclosure may only be for research, public health, or health care operations. Second, the person receiving the information must sign a data use agreement with Cardiology Medical Group. This agreement has specific requirements which are shown below.
A limited data set is information from which identifiers have been removed. Specifically, as it relates to the individual or his or her relatives, employers, or household members, all the following identifiers must be removed in order for health information to be a limited data set:
•Names
•Street addresses (other than town, city, state and zip code)
•Telephone numbers
•Fax numbers
•E-mail addresses
•Social Security numbers
•Medical records numbers
•Health plan beneficiary numbers
•Account numbers
•Certificate license numbers
•Vehicle identifiers and serial numbers, including license plates
•Device identifiers and serial numbers
•URLs
•IP address numbers
•Biometric identifiers (including finger and voice prints)
•Full face photos (or comparable images)
The health information that may remain in the information disclosed includes:
•Dates such as admission, discharge, service, date of birth, and date of death.
•City, state, five-digit, or more zip code.
•Ages in years, months, days, or hours.
Note This information is still protected health information or “PHI” under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.