The Privacy Rule primarily addresses identifiable and de-identified information. But it also includes a middle option that allows the use and disclosure of select identifiers with only limited Privacy Rule requirements. This middle option, called the Limited Data Set, can be used for research, health care operations and public health purposes only.

This policy defines limited data sets and outlines the procedures investigators should consider to gain access to limited data sets from Partners HealthCare System.

What is a Limited Data Set?

A limited data set is personal health information that excludes the following direct identifiers of an individual or of relatives, employers or household members of the individual:

  1. Names
  2. Postal address information (e.g., street address, but town, city, state, zip code, and other geographic identifiers are permitted)
  3. Telephone numbers
  4. FAX numbers
  5. Electronic mail addresses
  6. SSN
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers, including license plates
  12. Device identifiers and serial numbers
  13. Web universal resource locators (URLs)
  14. Internet protocol (IP) address
  15. Biometric identifiers, including finger and voice prints
  16. Full-face photos and comparable images.

Limited Data Sets can include the following identifiers:

  1. Geographic data:
    A limited data set can include town, city, State and zip code, but no street address.
  2. Dates:
    A limited data set can include dates relating to an individual (e.g., birth date, admission and discharge date).
  3. Other unique identifiers:
    A limited data set can include any unique identifying number, characteristic or code other than those specified in the list of 16 identifiers that are expressly disallowed.

Important requirements/restrictions for use and/or disclosure of limited data set:

  • Limited data sets may NOT be used to reidentify or contact an individual.
  • The "minimum necessary" standard applies to the limited data set, which means a researcher must explain that the data elements requested are necessary for the research.
  • A Data Use Agreement must be signed by the covered entity and the recipient of the Limited Data Set.
  • The requirement of accounting for disclosures of protected health information (PHI) does not apply.

What is a Data Use Agreement?

The Data Use Agreement is a specific document that (1) describes the permitted uses and disclosures of the information and (2) prohibits any attempt to reidentify or contact the individuals. The agreement is between the investigator and the institution, through its privacy officer. For a list of Privacy Officers by institution, please see the Partners HIPAA Central website (PHS internal only link). The template language for a Data Use Agreement may also be found on this web site when it becomes available.

PHRC Policy:

  1. An investigator should submit his/her protocol to the Partners Human Research Committee and specify that a Limited Data Set will be used. The PHRC will determine if the protocol is exempt or requires review under the Common Rule. Additional information about Data Use Agreements is available in the Partners Limited Data Sets Policy/Data Use Agreements (PHS internal only link).

  2. If the PHRC determines the research is exempt under the Common Rule, the investigator may begin research as soon as the data use agreement is in place.

    Access to a limited data set from patient medical records or the Research Patient Data Registry (RPDR) will require the investigator to provide to Medical Records and/or the RPDR both the completed data use agreement and the notification of the PHRC's exemption.

  3. If the PHRC determines that the protocol is subject to the Common Rule, the investigator should send a copy of the signed data use agreement to the Privacy Officer. This submission should include the protocol number.

    Access to a limited data set from patient medical records or the Research Patient Data Registry (RPDR) will require that the investigator provide to Medical Records and/or the RPDR both the completed data use agreement and an IRB protocol number.