Create a HIPAA limited data set with data-use agreement – CCPA/HIPAA-compliant de-identification per 45 CFR §164.514(e)
A limited data set under 45 CFR §164.514(e) retains certain PHI — including dates, geographic subdivisions, and ages — while removing direct identifiers, and may be disclosed for research, public health, or healthcare operations under a data-use agreement. anonym.legal removes the required direct identifiers while preserving the permitted quasi-identifiers so the dataset remains analytically useful.
When this applies
Use this workflow when a researcher or public health authority needs date-level and sub-state geographic precision that Safe Harbor would eliminate, and a signed data-use agreement covering the permitted purposes under §164.514(e)(3) is in place.
How anonym.legal handles it
- Upload the source PHI dataset to anonym.legal.
- The engine removes all 16 direct identifiers that must be stripped under §164.514(e)(2): names; postal address information other than town, city, state, and ZIP code; telephone numbers; fax numbers; email addresses; SSNs; medical record numbers; health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle identifiers and serial numbers; device identifiers; web URLs; IP addresses; biometric identifiers; and full-face photographs.
- Dates — including admission dates, discharge dates, dates of service, and dates of birth — are retained as permitted under §164.514(e), along with town, city, state, and ZIP code geographic fields.
- The engine generates a data-use agreement template pre-populated with the required provisions from §164.514(e)(4): permitted uses and disclosures, prohibition on re-identification, prohibition on contacting individuals, and safeguarding obligations.
- The limited data set file and the data-use agreement template are delivered together as a compliance package.
- The parties execute the data-use agreement before the limited data set is transmitted.
What you provide
- Source PHI dataset (CSV, XLSX, or HL7 FHIR JSON)
- Description of the research, public health, or healthcare operations purpose
- Recipient organization details for data-use agreement generation
Limitations & cautions
- A limited data set is still PHI under the Privacy Rule and must be disclosed only under a compliant data-use agreement covering the permitted purposes in §164.514(e)(3) — it is not equivalent to a de-identified dataset.
- Retaining full ZIP codes and dates means residual re-identification risk in small geographic areas or rare-disease populations; consult a statistician for datasets with small cell sizes.
- The data-use agreement template provided is a starting-point document; legal review is required before execution.
FAQ
What purposes can a limited data set be used for?
Under §164.514(e)(3), a limited data set may be used or disclosed only for research, public health, or health care operations. It cannot be used for treatment, payment functions that require individual-level PHI, or commercial marketing. The data-use agreement must specify the permitted purpose.
Is a limited data set covered by the HIPAA Security Rule?
Yes. A limited data set is PHI, and if it exists in electronic form it is ePHI subject to the Security Rule safeguards at 45 CFR §164.302–§164.318. Recipients who are business associates must execute a BAA in addition to the data-use agreement.
Can a limited data set include dates of death?
Yes. Dates — including dates of death — are among the permitted retained elements under §164.514(e)(2). The prohibition applies only to the 16 direct identifiers listed; dates are preserved as analytically necessary data elements.