Skip to main content
Home > SEK Education S... > SEKESC-IRB HIPA... > Limited Data Set & Data Use Agreement

Limited Data Set & Data Use Agreement

Limited Data Set & Data Use Agreement

HIPAA permits using a Limited Data Set, i.e. a data set in which direct identifiers have been removed but certain potential identifiers remain. To qualify as a Limited Data Set, the following direct identifiers of the individual or of relatives, employers, or household members of the individual must be removed:

  • Names;
  • Street address/Postal address information, other than town or city, State, and zip code;
  • Telephone and fax numbers
  • Electronic mail addresses;
  • Social security numbers
  • Medical record numbers, health plan beneficiary numbers or other account numbers;
  • Certificate/license numbers;
  • Web universal resource locators (URLs) or Internet protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice print; and
  • Full face photographic images and any comparable images.

A Limited Data Set is still considered to be PHI under the HIPAA. Prior to disclosing the Limited Data Set, the entity releasing the Limited Data Set and the researcher must execute a Data Use Agreement. The agreement must contain the following elements:

  1. The permitted uses and disclosures by the recipient
  2. The approved users and recipients of the data
  3. Agreement by the recipient not to re-identify the data or contact the individuals
  4. Assurances that the recipient will use appropriate safeguards to prevent use or disclosure of the Limited Data set other than as permitted by the Data Use Agreement
  5. Agreement that the researcher will report to the covered entity any uses or disclosures of the Limited Data Set which were not specifically allowed
  6. Agreement to require that any agents and subcontractors adhere to the same safeguards.