Category: Privacy

Date: March 2003

Reviewed/Revised: April 2013

1. Definition

A limited data set is PHI that excludes direct identifiers of the patient or relatives, employers or household members of the patient. A limited data set is not "de-identified" data because certain data fields are retained, such as zip codes. The direct identifiers are:

  • Name
  • Postal address information, other than town or city, state and zip code.
  • Telephone numbers, Fax numbers
  • Electronic mail addresses
  • Social security number
  • Medical records numbers
  • Health Plan beneficiaries
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plates
  • Device number and serial numbers
  • Web universal resource locators (URL)
  • Internet Protocol addressed (IP) numbers
  • Biometric identifiers
  • Full face photographic images and any comparable images

2. Use of Limited Data Set

  1. The Privacy Act permits the creation and dissemination of a limited data set (that does not include the direct identifiers listed above) for research, public health or health care operations.
  2. Limited data sets may be disclosed for permissible purposes without an authorization or IRB review; however, use or disclosure of a limited data set is subject to the minimum necessary rule.
  3. Use or disclosure of a limited data set requires a data use agreement between EVMS Medical Group and the recipient. The recipient of the limited data set must agree to limit the use of information for the purposes specified in the agreement, ensure the security of the data, and not to identify the information, or use it to contact any individual.

3. Violations of Data Use Agreement

EVMS Medical Group must resolve known breaches of the agreement, or discontinue disclosures and report problems to Department of Health and Human Services (DHHS).