What is identifiable protected health information (PHI)? Can health information be de-identified? what is a "limited data set"?

The Privacy rule defines three categories of protected health information (PHI): identifiable information (to which the rule applies), de-identified information (to which the rule does not apply), and a limited data set (a middle option, to which limited parts of the rule apply). Each is explained below.

Identifiable information. The Privacy Rule defines "identifiable" information as information with any personal identifiers, as well as information about an individual, or his or her relatives, household members, or employer that alone or in combination could identify the individual. For more detail, see the list of 18 identifiers that must be removed to de-identify the information.

De-identified information. PHI that has been de-identified may be used without authorization and is not covered by the Privacy rule. Click here for a Fact sheet on De-Identification.

Limited data set. This is a data set that is not fully de-identified according to the Privacy rule regulations. While it excludes 15 of the 18 personal identifiers listed for de-identification, it allows the retention of :

Dates (e.g., date of birth, admission and discharge date)
Some geographic information (city, state and zip code but not street address) and other unique codes and characteristics that are not expressly excluded. Most Privacy Rule requirements do not apply to a limited data set used internally or disclosed (for example, disclosures do not have to be tracked). There are restrictions on the use of limited data sets including:

  • The limited data set option is available only for research, health care operations, and public health purposes.
  • AND, the following two requirements apply:
    1.  the covered entity may release only the minimum necessary information, so the intended recipient must indicate what is needed; and
    2.  the recipient must agree to a "data use agreement" which generally describes the permitted uses and disclosures of the information received and prohibits re-identifying or using this information to contact the individuals. A data use agreement is an agreement between the covered entity (perhaps via the Privacy Officer) and the recipient of the data. Note, a data use agreement is required for recipients that are both internal and external to the covered entity.

FAQ Topic: