What you Need to Know about HIPAA Limited Data Sets

HIPAA was introduced in 1996 to protect the privacy of individual health data. The Health Insurance Portability and Accountability act dictates what is protected health data. It also discusses who is accountable for the data, and the regulations around storing and sharing that data.

Covered data includes names, addresses, treatments and diagnoses, and more. Anything that might be individually identifiable is included in HIPAA protected health information (PHI).

Ultimately, the priority of HIPAA is to keep individual patient healthcare data safe. This keeps the patient safe in doing so. 

Healthcare organizations are primarily bound by HIPAA, as well as some digital health software companies and businesses. For those operating outside of the healthcare industry, HIPAA regulations largely depend on the type of information stored.

For example, how do researchers provide valuable health information to the public when that information may be valuable? There is some information that can be utilized without HIPAA accounting requirements, called Limited Data Sets.

What is a Limited Data Set?

A Limited Data Set (LDS) is a selection of protected health information. However, the information omits certain identifiers. This might be individual identifies, or those relating to relatives, employers or other entities. 

The omitted information is referred to as direct identifiers. These are pieces of information relating to an individual that makes the PHI identifiable. For example, these might include:

• Names

• Addresses

• Telephone Numbers

• Email Addresses

• Social Security Numbers

• Account Numbers

• Full Photographs

• And more

These direct identifiers must be removed from the pool of information for it to qualify as a Limited Data Set. If any identifiable information remains, then the use of the data could result in a significant violation.

Generally, they might include information like treatment, diagnoses, treatment success or timelines, demographics and information related to an illness. This information might be useful for research purposes, and identifying information is not needed.

However, Limited Data Sets are slightly complex, as they are still classified as protected health information (PHI) under HIPAA. They are not the same as de-identified data, which is no longer considered PHI. 

As a result, Limited Data Sets are still subject to HIPAA requirements. However, they are not subject to HIPAA accounting requirements. What’s more building (and documenting how you built) a limited data set is challenging and generally it’s best to work with organizations who’ve been through this process before. 

Utilizing Limited Data Sets

Limited Data Sets are typically used for specific purposes. They are not accessible by anyone, like de-identified health information that is often shared by governments or governing bodies.

They are often used for research purposes or in the interest of public health. For example, Limited Data Sets would have been useful in the research of COVID-19. 

The sets might have included information on patients contracting COVID, their treatment, and their symptoms. In this instance, the information was useful in identifying future COVID cases, and learning how to help deal with the symptoms. 

Limited Data Sets can be invaluable in protecting public health. They can also drive research into life-changing diseases like cancer. To researchers and public health bodies, LDS’s are critical.

In digital health development, limited data sets are also useful. AI or machine learning within the sector often require access to databases of information, in order to learn. Artificial intelligence is a growing area of research in the healthcare sector. However, it has the potential to speed up diagnoses and treatment, and more, with access to the right health information.

It’s important to note that these organizations must still remain compliant. HIPAA is still applicable to their information, regardless of its’ use. The HIPAA accounting requirement is the only regulation that isn’t necessary for the disclosure of Limited Data Sets.

The accounting requirement mandates that a patient/person has the right to request a record of their utilized data. Therefore, the data must be kept securely, and confidentiality is key. Organizations simply don’t need to disclose the utilization of the information in the same way.

De-Identified Protected Health Information

Limited Data Sets should be confused with de-identified personal health information. 

De-identified personal health information is data that has been stripped of all identifying factors. This doesn’t just mean the criteria for LDS, but any data that might lead to the identification of a patient. De-identified information will omit more than just the previously stated direct identifiers. 

As a result, HIPAA no longer applies to this selection of information. The individual persons cannot be identified from the information, therefore it is safe to utilize.

Again, this information can be used for research and demonstrative purposes. 

Utilizing De-Identified Protected Health Information

De-identified data can be used for a number of reasons. Researchers can use the information to inform their hypotheses and experiments. However, it can be used on a more public scale than Limited Data Sets.

Researchers can demonstrate their findings. This information might be used in public health campaigns. For instance, information on COVID figures and uncovered symptoms were made available to the public. This presented valuable information to the public, allowing them to identify COVID, and get a full understanding of its spread.

Researchers in Utah utilized de-identified health information to help find the most effective care strategies for those with PTSD.

There are some instances where health information plays a part in the wider picture of public health. In these cases, access to health information is vital. 

At Vertrical, we have in-depth knowledge of the requirements of compliance regulations. We know how to safely utilize data, within our development projects. Our priority is to keep your organization and sensitive data safe, while producing the best possible tech solution.

Get in touch with us today to learn more about compliant digital health development.

Learn more about HIPAA and Development with our HIPAA Compliance Checklist