HIPAA provides multiple exceptions (or permissions) for obtaining PHI for research purposes, and the documentation requirements for each exception may vary. The most common HIPAA documents used for research are the Research Authorization, Partial Waiver, and Complete Waiver.
Determining which particular exception (and its corresponding documentation) is appropriate depends upon:
- the source of the PHI
- the purpose for viewing and/or collecting the data, and
- whether or not the researcher will have contact with the subject of the information.
HIPAA Privacy Guidance UD-13 (log-in required) provides further information on obtaining information for research.
A de-identified data set is health information from which all of the 18 HIPAA identifiers have been removed. If a data set has been classified as “de-identified” the HIPAA regulations no longer control its use or disclosure.
A limited data set (LDS) is PHI from which most, but not all, of the 18 HIPAA identifiers have been removed. It is similar to a de-identified data set but includes additional identifying elements such as dates or zip codes. Unlike a de-identified data set, a limited data set is still considered PHI under HIPAA and must be protected.
HIPAA allows covered entities to create, use, or disclose an LDS for certain limited purposes, including research, but a Data Use Agreement is required to be signed by the LDS recipient. By signing this agreement, the recipient attests that the data will be protected and only used for its intended purpose.
To qualify as a limited data set, the following identifiers of the individual or of relatives, employers, or household members of the individual must be removed:
- Names, including initials;
- Postal address information, other than town or city, State and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers/serial numbers;
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
An LDS provides a researcher more information than a de-identified data set; however, it is more limiting than information obtained through a research authorization. Under HIPAA’s LDS exception, a researcher cannot:
- attempt to identify the individuals (who are the subjects of the information), or
- contact the individuals for further information, or
- obtain or use information about the individuals beyond what is included in the LDS.
HIPAA Privacy Guidance UD-18 (log-in required) provides further information on limited data sets and Data Use Agreements.