US Trends

which of the following are true statements about limited data sets

A limited data set under HIPAA is still PHI , but with 16 specific direct identifiers removed, and it can be used or disclosed only for research, public health, or health care operations under a data use agreement.

What a limited data set is

  • A limited data set is protected health information (PHI) that has had 16 direct identifiers removed, as defined by the HIPAA Privacy Rule and related guidance.
  • Even after these identifiers are removed, the information is still considered PHI and remains subject to HIPAA privacy protections.

Required removal of identifiers

  • The 16 direct identifiers that must be removed include items such as names, street addresses (other than city, state, and ZIP), phone numbers, email addresses, Social Security numbers, medical record numbers, account numbers, and full-face photos.
  • These identifiers must be removed not only for the individual but also for relatives, employers, and household members for the dataset to qualify as a limited data set.

What can remain in the data

  • Certain information like city, state, ZIP code, dates (such as admission, discharge, birth, and death dates), age, gender, and non-direct clinical details may remain in a limited data set.
  • Because these elements remain, a limited data set is less identifiable than full PHI but more detailed than fully de-identified data.

Permitted purposes for use/disclosure

  • Limited data sets can be used or disclosed only for research, public health activities, or health care operations; they are not permitted for general purposes such as marketing or routine disclosures unrelated to these activities.
  • Common examples include outcomes research, quality improvement analyses, and public health surveillance that do not require direct identifiers.

Data Use Agreement requirement

  • When disclosing a limited data set to an external party, the covered entity must obtain satisfactory assurances in the form of a Data Use Agreement (DUA) signed by the recipient.
  • The DUA typically specifies permitted uses and disclosures, prohibits re-identification or contacting individuals, and requires safeguards to protect the information.

Putting the “true” statements together

  • Statements saying that a limited data set:
    • is PHI with 16 specific direct identifiers removed,
    • can be used/disclosed only for research, public health, or health care operations, and
    • requires a signed Data Use Agreement for disclosure
      are all accurate under HIPAA.

So if your options match those three descriptions and then offer “All of the above,” that combined option is the correct choice.

Information gathered from public forums or data available on the internet and portrayed here.