A Limited Data Set (LDS) is a type of Protected Health Information (PHI) defined by the HIPAA Privacy Rule that strips 16 categories of direct identifiers—such as names, Social Security numbers, and medical record numbers—while retaining elements like full dates and geographic subdivisions no smaller than a state. This creates a partially de-identified dataset that is less restrictive than fully de-identified data but more protective than a complete medical record, striking a balance between privacy and analytical utility.
Glossary
Limited Data Set

What is a Limited Data Set?
A Limited Data Set is a specific category of Protected Health Information defined by HIPAA that excludes 16 direct identifiers but may include dates and geographic subdivisions, usable for research, public health, and healthcare operations under a Data Use Agreement.
Disclosure of a Limited Data Set requires a Data Use Agreement (DUA) between the covered entity and the recipient, which legally binds the recipient to use the data only for specified purposes—typically research, public health, or healthcare operations—and prohibits re-identification. Unlike the HIPAA Safe Harbor method, which demands removal of all 18 identifiers, the LDS provision permits the retention of dates and certain geographic information, making it invaluable for longitudinal studies and epidemiological analyses where temporal and regional context is essential.
Key Characteristics of a Limited Data Set
A Limited Data Set (LDS) occupies a critical middle ground in HIPAA privacy regulations—it is PHI stripped of 16 direct identifiers but may retain dates and geographic subdivisions, enabling research and public health activities under a Data Use Agreement.
The 16 Excluded Direct Identifiers
To qualify as an LDS, the following direct identifiers must be removed from the protected health information:
- Names
- Postal address information (except town/city, state, and zip code)
- Telephone and fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers (including license plates)
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (including finger and voice prints)
- Full-face photographic images and comparable images
- Any other unique identifying number, characteristic, or code
Permitted Identifiers: Dates & Geography
Unlike the HIPAA Safe Harbor method, an LDS may retain elements critical for longitudinal research:
- Dates: Admission, discharge, service, date of birth, and date of death may all be included
- Geographic subdivisions: Town, city, state, and 5-digit zip code are permitted
- Age: Age expressed in years, months, days, or hours (including ages over 89, which must be aggregated into a single category of "90 or older" under Safe Harbor)
This retention makes LDS uniquely valuable for temporal analysis and epidemiological studies where time-series data is essential.
Data Use Agreement Requirement
Disclosure of an LDS requires a legally binding Data Use Agreement (DUA) between the covered entity and recipient. The DUA must:
- Establish the permitted uses and disclosures of the LDS
- Limit who can use or receive the data
- Require the recipient to not re-identify the information or contact the individuals
- Implement appropriate safeguards to prevent unauthorized use
- Report any unauthorized use or disclosure
A DUA is distinct from a Business Associate Agreement (BAA)—the recipient of an LDS is not necessarily a business associate.
LDS vs. De-identified Data vs. PHI
Understanding the spectrum of identifiability is critical for compliance:
- Full PHI: Contains all 18 identifiers; unrestricted clinical use but maximum regulatory burden
- Limited Data Set: Strips 16 direct identifiers but retains dates and geography; requires a DUA for disclosure
- De-identified (Safe Harbor): All 18 identifiers removed; no longer considered PHI and exempt from HIPAA
- De-identified (Expert Determination): A statistician certifies re-identification risk is very small; also exempt
An LDS remains protected health information under HIPAA and is subject to the Privacy Rule's administrative requirements.
Common Use Cases for Limited Data Sets
The LDS framework enables critical secondary uses of clinical data:
- Clinical research: Retrospective cohort studies requiring temporal analysis of outcomes
- Public health surveillance: Disease trend monitoring across geographic regions
- Healthcare operations: Quality improvement initiatives and population health analytics
- Comparative effectiveness research: Evaluating treatment protocols over time
- Health services research: Analyzing utilization patterns and cost-effectiveness
Without the LDS provision, researchers would face the binary choice of using fully identifiable PHI or losing essential temporal and geographic context.
Re-identification Risk Considerations
While an LDS is considered a lower-risk form of PHI, it is not immune to linkage attacks:
- The combination of date of birth, zip code, and gender can uniquely identify a significant percentage of the U.S. population (as demonstrated by Latanya Sweeney's foundational work)
- Retained dates create temporal signatures that may correlate with publicly known events
- Geographic subdivisions combined with rare conditions can narrow the population of interest
Organizations should conduct re-identification risk assessments and implement technical safeguards such as date shifting or geographic generalization when the risk profile warrants additional protection.
Limited Data Set vs. De-identification vs. PHI
A technical comparison of three distinct HIPAA-defined data states, detailing the permissible identifiers, regulatory requirements, and applicable use cases for each classification.
| Feature | Protected Health Information (PHI) | Limited Data Set (LDS) | De-identified Data (Safe Harbor) |
|---|---|---|---|
Regulatory Definition | Individually identifiable health information held or transmitted by a covered entity or business associate. | PHI that excludes 16 specific direct identifiers but may include dates and geographic subdivisions. | Data where all 18 Safe Harbor identifiers have been removed, and the covered entity has no actual knowledge of re-identification risk. |
Direct Identifiers Permitted | All 18 identifiers permitted. | Dates of admission, discharge, birth, death; and geographic units larger than a state (e.g., city, ZIP code with first 3 digits). | None of the 18 identifiers permitted. |
Number of Identifiers Removed | 0 | 16 | 18 |
Requires a Data Use Agreement (DUA) | |||
Requires a Business Associate Agreement (BAA) | |||
Subject to HIPAA Privacy Rule | |||
Re-identification Risk | Identifiable by definition. | Moderate; quasi-identifiers like dates and ZIP codes remain, enabling potential linkage attacks. | Very low by statistical standard; re-identification must not be reasonably possible. |
Primary Use Case | Treatment, payment, and healthcare operations (TPO). | Research, public health, and healthcare operations where temporal or geographic analysis is required. | Open data sharing, large-scale analytics, and machine learning model training without privacy constraints. |
Frequently Asked Questions
Clear, technically precise answers to the most common questions about creating, using, and safeguarding Limited Data Sets under the HIPAA Privacy Rule.
A Limited Data Set (LDS) is a specific type of protected health information (PHI) defined by the HIPAA Privacy Rule that excludes 16 categories of direct identifiers but may include certain dates and geographic subdivisions. It functions as a critical middle ground between fully identified PHI and completely de-identified data, enabling research, public health, and healthcare operations without individual authorization. The mechanism requires the covered entity to strip all 16 direct identifiers—such as names, social security numbers, and medical record numbers—while retaining elements like admission and discharge dates, dates of service, and city or ZIP code. Access to an LDS is not freely granted; it is strictly governed by a Data Use Agreement (DUA), a legally binding contract that specifies the permitted uses, prohibits re-identification, and establishes security safeguards. This structure allows organizations to share valuable clinical data for comparative effectiveness studies or epidemiological analysis while maintaining a robust privacy posture.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding the Limited Data Set requires context within the broader HIPAA de-identification landscape. These related concepts define the boundaries between fully identified, de-identified, and the intermediate LDS state.
HIPAA Safe Harbor
The Safe Harbor method requires the removal of 18 specific identifiers to achieve full de-identification. Unlike a Limited Data Set, Safe Harbor data strips all dates and geographic subdivisions smaller than a state.
- Removes all 18 identifiers, including admission/discharge dates
- No Data Use Agreement required for release
- Data is no longer considered PHI under HIPAA
Data Use Agreement (DUA)
A Data Use Agreement is the legally binding contract required before a covered entity can release a Limited Data Set to a recipient. It establishes the permitted uses and prohibits re-identification.
- Specifies who may use or receive the LDS
- Requires recipient to agree not to re-identify the data
- Violations are treated as a breach of the HIPAA Privacy Rule
Expert Determination
An alternative de-identification method where a qualified statistician certifies that the risk of re-identification is very small. This method can retain more data utility than Safe Harbor while achieving de-identified status.
- Applies statistical and scientific principles
- May retain dates and geographies if risk is low
- Results in fully de-identified data, not an LDS
De-identification
The overarching process of removing or obscuring personally identifiable information so data cannot be reasonably linked to an individual. The Limited Data Set is a specific, intermediate state within this spectrum.
- Spectrum ranges from fully identified to anonymized
- LDS sits between fully identified and de-identified
- Governed by the HIPAA Privacy Rule §164.514
Re-identification Risk
The statistical probability that an attacker can correctly link de-identified or limited data records back to a specific individual using auxiliary information. LDS carries inherently higher risk due to retained dates and geographies.
- Quasi-identifiers like ZIP code and DOB are high-risk
- Linkage attacks exploit public datasets
- DUA mitigates legal risk but not statistical risk
Pseudonymization
A data protection technique that replaces direct identifiers with artificial pseudonyms, allowing re-linking under controlled conditions. Unlike an LDS, pseudonymization retains the key to reverse the process.
- Reversible under controlled conditions
- Common in clinical trial data management
- Distinct from the irreversible LDS framework

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us