DATA SETS IN RESEARCH
Privacy Rule primarily addresses identifiable and de-identified
information. But it also includes a middle option that
allows the use and disclosure of select identifiers with
only limited Privacy Rule requirements. This middle option,
called the Limited Data Set, can be used for research,
health care operations and public health purposes only.
policy defines limited data sets and outlines the procedures
investigators should consider to gain access to limited
data sets from Partners HealthCare System.
is a Limited Data Set?
A limited data set is personal health information that
excludes the following direct identifiers of an individual
or of relatives, employers or household members of the
address information (e.g., street address, but town,
city, state, zip code, and other geographic identifiers
plan beneficiary numbers
identifiers and serial numbers, including license plates
identifiers and serial numbers
universal resource locators (URLs)
protocol (IP) address
identifiers, including finger and voice prints
photos and comparable images.
Data Sets can include the following identifiers:
A limited data set can include town, city, State and
zip code, but no street address.
A limited data set can include dates relating to an
individual (e.g., birth date, admission and discharge
A limited data set can include any unique identifying
number, characteristic or code other than those specified
in the list of 16 identifiers that are expressly disallowed.
requirements/restrictions for use and/or disclosure of
limited data set:
data sets may NOT be used to reidentify or contact an
"minimum necessary" standard applies to the
limited data set, which means a researcher must explain
that the data elements requested are necessary for the
Data Use Agreement must be signed by the covered entity
and the recipient of the Limited Data Set.
requirement of accounting for disclosures of protected
health information (PHI) does not apply.
is a Data Use Agreement?
The Data Use Agreement is a specific document that (1)
describes the permitted uses and disclosures of the information
and (2) prohibits any attempt to reidentify or contact
the individuals. The agreement is between the investigator
and the institution, through its privacy officer. For
a list of Privacy Officers by institution, please see
HIPAA Central website (PHS internal only link). The template language for a
Data Use Agreement may also be found on this web site
when it becomes available.
investigator should submit his/her protocol to the Partners
Human Research Committee and specify that a Limited
Data Set will be used. The PHRC will determine if the
protocol is exempt or requires review under the Common
Rule. Additional information about Data Use Agreements
is available in the Partners
Limited Data Sets Policy/Data Use Agreements (PHS internal only link).
the PHRC determines the research is exempt under the
Common Rule, the investigator may begin research as
soon as the data use agreement is in place.
Access to a limited data set from patient medical records
or the Research Patient Data Registry (RPDR) will require
the investigator to provide to Medical Records and/or
the RPDR both the completed data use agreement and the
notification of the PHRC's exemption.
If the PHRC determines that the protocol is subject
to the Common Rule, the investigator should send a copy
of the signed data use agreement to the Privacy Officer.
This submission should include the protocol number.
to a limited data set from patient medical records
or the Research Patient Data Registry (RPDR) will
require that the investigator provide to Medical Records
and/or the RPDR both the completed data use agreement
and an IRB protocol number.