As a covered entity, it's your responsibility to familiarize yourself with relevant terms and definitions surrounding the  Health Insurance Portability and Accountability Act (HIPAA) of 1996. One such term that's frequently used is “limited data sets.” So, what in the world is a limited data set and how does it pertain to HIPAA?

When speaking in the context of HIPAA, a limited data set is a collection of personally identifiable data as defined under the Privacy Regulations of HIPAA. Its key characteristic is the removal of facial identifiers, such as those that relate to the respective customer or healthcare patient. Technical jargon aside, a limited data set is exactly what it sounds like: healthcare data about a patient that's limited in nature, often omitting the following information:

  • Names
  • Street addresses
  • Phone numbers
  • Email addresses
  • Social Security numbers
  • Medical billing numbers
  • Health plan beneficiary numbers
  • Driver's license numbers
  • Website URLs
  • IP addresses
  • Biometric identifiers
  • Face photos

After reading the aforementioned identifiers that must be excluded in limited data sets, you might be wondering what data can be included. Information that may be included in a limited data set is date of birth, city, state, zip code, and ages.

It's a common assumption that limited data sets are not covered under HIPAA. As noted by the Office for Civil Rights (OCR), however, limited data sets are still classified as Protected Health Information (PHI). This means covered entities must still follow the Security, Privacy and Administrative Rules to protect the data from unauthorized use or disclosure. Turning a blind eye to the HIPAA compliance with limited data sets could result in fines, penalties or other corrective actions in the event of an audit.

But HIPAA also contains certain provisions that affect limited data sets. For instance, covered entities are required to take meaningful and reasonable steps to fix a data breach involving limited data sets. For instance, if the recipient of a limited data set is using the data in a manner that is not permitted in the agreement, the healthcare facility must work with the recipient to correct the issue.

You can learn more about limited data sets by visiting the Health and Human Services (HHS) official website at

Subscribe to our mailing list

* indicates required