c.) Limited Data Sets
Covered entities may release limited data sets (LDS), from which certain direct patient identifiers have been removed, for research, public health, or health care operations purposes if the parties enter into a data use agreement (DUA).14 An LDS is PHI that excludes the following identifiers of the individual or of the individual’s relatives, employers, or household members:
- Names
- Postal address information except for town, city, state, and zip code
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web universal resource locators (URLs) and Internet protocol (IP) address
- Biometric identifiers, including finger and voice prints
- Full face photos and comparable images
An LDS allows covered entities to release slightly more information than de-identified data (e.g., geographic information and dates), but imposes greater restrictions on how the data may be used. An LDS may only be released for certain purposes (i.e. research, public health, or health care operations) and requires a covered entity to enter into a DUA with the recipient of the data set.
The DUA must: 1) establish the permitted uses and disclosures of the LDS; 2) identify the individuals who may use the LDS; 3) assure that the LDS recipient will report any unlawful disclosures; require agents, including subcontractors, to agree to the same restrictions that apply to the recipient; install safeguards that prevent unlawful disclosures; and use the LDS only as permitted by the agreement or as required by law. The recipient also must agree not to re-identify the information or contact any individual whose information is part of the LDS.15