Inferensys

Glossary

Limited Data Set

A Limited Data Set is protected health information that excludes 16 specific direct identifiers but may include dates and geographic subdivisions, usable for research, public health, or healthcare operations under a Data Use Agreement.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
HIPAA PRIVACY RULE

What is a Limited Data Set?

A Limited Data Set is a specific category of Protected Health Information defined by HIPAA that excludes 16 direct identifiers but may include dates and geographic subdivisions, usable for research, public health, and healthcare operations under a Data Use Agreement.

A Limited Data Set (LDS) is a type of Protected Health Information (PHI) defined by the HIPAA Privacy Rule that strips 16 categories of direct identifiers—such as names, Social Security numbers, and medical record numbers—while retaining elements like full dates and geographic subdivisions no smaller than a state. This creates a partially de-identified dataset that is less restrictive than fully de-identified data but more protective than a complete medical record, striking a balance between privacy and analytical utility.

Disclosure of a Limited Data Set requires a Data Use Agreement (DUA) between the covered entity and the recipient, which legally binds the recipient to use the data only for specified purposes—typically research, public health, or healthcare operations—and prohibits re-identification. Unlike the HIPAA Safe Harbor method, which demands removal of all 18 identifiers, the LDS provision permits the retention of dates and certain geographic information, making it invaluable for longitudinal studies and epidemiological analyses where temporal and regional context is essential.

HIPAA PRIVACY RULE

Key Characteristics of a Limited Data Set

A Limited Data Set (LDS) occupies a critical middle ground in HIPAA privacy regulations—it is PHI stripped of 16 direct identifiers but may retain dates and geographic subdivisions, enabling research and public health activities under a Data Use Agreement.

01

The 16 Excluded Direct Identifiers

To qualify as an LDS, the following direct identifiers must be removed from the protected health information:

  • Names
  • Postal address information (except town/city, state, and zip code)
  • Telephone and fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers (including license plates)
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (including finger and voice prints)
  • Full-face photographic images and comparable images
  • Any other unique identifying number, characteristic, or code
02

Permitted Identifiers: Dates & Geography

Unlike the HIPAA Safe Harbor method, an LDS may retain elements critical for longitudinal research:

  • Dates: Admission, discharge, service, date of birth, and date of death may all be included
  • Geographic subdivisions: Town, city, state, and 5-digit zip code are permitted
  • Age: Age expressed in years, months, days, or hours (including ages over 89, which must be aggregated into a single category of "90 or older" under Safe Harbor)

This retention makes LDS uniquely valuable for temporal analysis and epidemiological studies where time-series data is essential.

03

Data Use Agreement Requirement

Disclosure of an LDS requires a legally binding Data Use Agreement (DUA) between the covered entity and recipient. The DUA must:

  • Establish the permitted uses and disclosures of the LDS
  • Limit who can use or receive the data
  • Require the recipient to not re-identify the information or contact the individuals
  • Implement appropriate safeguards to prevent unauthorized use
  • Report any unauthorized use or disclosure

A DUA is distinct from a Business Associate Agreement (BAA)—the recipient of an LDS is not necessarily a business associate.

04

LDS vs. De-identified Data vs. PHI

Understanding the spectrum of identifiability is critical for compliance:

  • Full PHI: Contains all 18 identifiers; unrestricted clinical use but maximum regulatory burden
  • Limited Data Set: Strips 16 direct identifiers but retains dates and geography; requires a DUA for disclosure
  • De-identified (Safe Harbor): All 18 identifiers removed; no longer considered PHI and exempt from HIPAA
  • De-identified (Expert Determination): A statistician certifies re-identification risk is very small; also exempt

An LDS remains protected health information under HIPAA and is subject to the Privacy Rule's administrative requirements.

05

Common Use Cases for Limited Data Sets

The LDS framework enables critical secondary uses of clinical data:

  • Clinical research: Retrospective cohort studies requiring temporal analysis of outcomes
  • Public health surveillance: Disease trend monitoring across geographic regions
  • Healthcare operations: Quality improvement initiatives and population health analytics
  • Comparative effectiveness research: Evaluating treatment protocols over time
  • Health services research: Analyzing utilization patterns and cost-effectiveness

Without the LDS provision, researchers would face the binary choice of using fully identifiable PHI or losing essential temporal and geographic context.

06

Re-identification Risk Considerations

While an LDS is considered a lower-risk form of PHI, it is not immune to linkage attacks:

  • The combination of date of birth, zip code, and gender can uniquely identify a significant percentage of the U.S. population (as demonstrated by Latanya Sweeney's foundational work)
  • Retained dates create temporal signatures that may correlate with publicly known events
  • Geographic subdivisions combined with rare conditions can narrow the population of interest

Organizations should conduct re-identification risk assessments and implement technical safeguards such as date shifting or geographic generalization when the risk profile warrants additional protection.

HIPAA DATA CLASSIFICATION COMPARISON

Limited Data Set vs. De-identification vs. PHI

A technical comparison of three distinct HIPAA-defined data states, detailing the permissible identifiers, regulatory requirements, and applicable use cases for each classification.

FeatureProtected Health Information (PHI)Limited Data Set (LDS)De-identified Data (Safe Harbor)

Regulatory Definition

Individually identifiable health information held or transmitted by a covered entity or business associate.

PHI that excludes 16 specific direct identifiers but may include dates and geographic subdivisions.

Data where all 18 Safe Harbor identifiers have been removed, and the covered entity has no actual knowledge of re-identification risk.

Direct Identifiers Permitted

All 18 identifiers permitted.

Dates of admission, discharge, birth, death; and geographic units larger than a state (e.g., city, ZIP code with first 3 digits).

None of the 18 identifiers permitted.

Number of Identifiers Removed

0

16

18

Requires a Data Use Agreement (DUA)

Requires a Business Associate Agreement (BAA)

Subject to HIPAA Privacy Rule

Re-identification Risk

Identifiable by definition.

Moderate; quasi-identifiers like dates and ZIP codes remain, enabling potential linkage attacks.

Very low by statistical standard; re-identification must not be reasonably possible.

Primary Use Case

Treatment, payment, and healthcare operations (TPO).

Research, public health, and healthcare operations where temporal or geographic analysis is required.

Open data sharing, large-scale analytics, and machine learning model training without privacy constraints.

HIPAA COMPLIANCE

Frequently Asked Questions

Clear, technically precise answers to the most common questions about creating, using, and safeguarding Limited Data Sets under the HIPAA Privacy Rule.

A Limited Data Set (LDS) is a specific type of protected health information (PHI) defined by the HIPAA Privacy Rule that excludes 16 categories of direct identifiers but may include certain dates and geographic subdivisions. It functions as a critical middle ground between fully identified PHI and completely de-identified data, enabling research, public health, and healthcare operations without individual authorization. The mechanism requires the covered entity to strip all 16 direct identifiers—such as names, social security numbers, and medical record numbers—while retaining elements like admission and discharge dates, dates of service, and city or ZIP code. Access to an LDS is not freely granted; it is strictly governed by a Data Use Agreement (DUA), a legally binding contract that specifies the permitted uses, prohibits re-identification, and establishes security safeguards. This structure allows organizations to share valuable clinical data for comparative effectiveness studies or epidemiological analysis while maintaining a robust privacy posture.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.