Are Limited Data Sets “Unsecured PHI”? A Guide to HITECH's Rules for Researchers

The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened HIPAA’s enforcement provisions, particularly in relation to the handling of unsecured protected health information (PHI). Under the Breach Notification Rule, an impermissible use or disclosure of unsecured PHI generally triggers a duty to notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media.

But what about limited data sets, datasets from which certain direct identifiers have been removed, but which still contain enough information to be considered PHI? For researchers, understanding whether limited data sets are considered “unsecured PHI” under HITECH is essential for designing compliant research protocols and avoiding breach notification obligations.

Defining Limited Data Sets Under HIPAA

A Limited Data Set (LDS), as defined in 45 CFR § 164.514(e), is a form of protected health information (PHI) from which 16 categories of direct identifiers have been removed. These identifiers include personal details of the individual and of their relatives, employers, or household members, such as names, full street addresses, Social Security numbers, telephone numbers, email addresses, medical record numbers, and biometric identifiers.

However, an LDS can still contain certain indirect identifiers. For example:

• Geographic information at the city, state, and ZIP code level

• Dates related to the individual, such as admission, discharge, birth, or death dates

• Unique codes or characteristics, as long as they are not derived from the excluded identifiers

Because an LDS still includes some elements that could potentially identify an individual, it remains classified as PHI under HIPAA. However, it is subject to less stringent use and disclosure restrictions than fully identifiable PHI. Use or disclosure of an LDS is permitted for specific purposes, such as research, public health activities, or healthcare operations, provided that a data use agreement is in place to protect the information and limit re-identification.

HITECH’s Definition of Unsecured PHI

HITECH defines unsecured PHI as PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodologies approved by HHS. Approved methods include:

• Encryption meeting NIST standards

• Secure destruction of physical records

• Proper disposal of electronic media

If a limited data set is not secured using one of these methods, it is considered unsecured PHI for breach notification purposes.

The key compliance point for researchers is this: a limited data set can still be unsecured PHI if it is not encrypted or otherwise secured according to HHS guidance.

This means that if a breach involves an LDS that is not properly secured, the covered entity (or business associate) must conduct a risk assessment under the Breach Notification Rule and, if necessary, notify affected individuals and HHS.

In 2018, a university research center lost a laptop containing an unencrypted limited data set with patient admission and discharge dates, ZIP codes, and medical record numbers. While no direct identifiers like names or Social Security numbers were present, OCR determined the dataset was still unsecured PHI because it contained enough information to identify individuals when combined with other data sources.

The university had to notify over 2,000 individuals and report the incident to HHS, incurring reputational harm and significant administrative costs.

Lesson Learned: The absence of direct identifiers does not exempt a dataset from breach notification obligations if it is not properly secured.

Best Practices for Researchers Handling Limited Data Sets

1. Encrypt Data at Rest and in Transit – Use encryption that meets NIST standards to secure datasets on devices, servers, and during transfers.

2. Control Access – Restrict LDS access to authorized research team members and maintain audit logs of access.

3. Use Data Use Agreements (DUAs) – DUAs define permissible uses, disclosures, and safeguards for the LDS.

4. Train Research Staff – Ensure all team members understand the regulatory status of LDS and the consequences of a breach.

5. Plan for Breach Response – Maintain an incident response plan that addresses LDS breaches.

Pitfall 1: Assuming Limited Data Sets Are Not PHI

Some researchers mistakenly believe removing certain identifiers removes HIPAA obligations.

How to Avoid It: Remember that an LDS remains PHI and is subject to HIPAA and HITECH rules unless de-identified according to the HIPAA safe harbor or expert determination methods.

Pitfall 2: Storing LDS on Unencrypted Devices

A common cause of breaches is storing datasets on laptops or portable media without encryption.

How to Avoid It: Require encryption for all devices containing PHI, including LDS, and verify compliance through periodic audits.

Pitfall 3: Overlooking Data in Transit

Sending an LDS via unencrypted email or insecure file transfer exposes it to interception.

How to Avoid It: Use secure file transfer protocols (SFTP) or encrypted email solutions approved by your compliance team.

Pitfall 4: Inadequate Data Use Agreements

Without a robust DUA, there may be unclear or insufficient safeguards.

How to Avoid It: Include specific security requirements, breach reporting obligations, and restrictions on further disclosure in all DUAs.

Pitfall 5: Insufficient Access Controls

Allowing broader access than necessary increases breach risk.

How to Avoid It: Apply the minimum necessary standard to all LDS handling, limiting access to essential personnel.

Pitfall 6: Failure to Train Research Staff

Even experienced researchers may not understand the breach implications of LDS.

How to Avoid It: Provide annual HIPAA training with specific modules on LDS handling and breach risk.

Pitfall 7: Ignoring State Law Requirements

Some states have breach notification laws with broader definitions than HIPAA.

How to Avoid It: Incorporate state-specific requirements into your research compliance program.

Pitfall 8: No Breach Response Testing

Without practice, a real incident may lead to delays and errors in notification.

How to Avoid It: Conduct annual breach response drills involving scenarios with LDS.

1. HHS OCR – Guidance on Limited Data Sets

2. HHS Guidance on Securing PHI

3. 45 CFR § 164.514 – Requirements for Limited Data Sets
   

For researchers, the takeaway is clear: a Limited Data Set is still considered protected health information (PHI) under HIPAA, even though certain direct identifiers have been removed. This means it retains many of the same privacy and security obligations as fully identifiable PHI. Importantly, unless the data set is secured in accordance with HHS encryption and destruction guidance, it will be treated as unsecured PHI for breach notification purposes under the HITECH Act. In the event of unauthorized access, use, or disclosure, covered entities and business associates must follow the same breach reporting and notification procedures as they would for fully identifiable PHI. For research teams, this underscores the need to not only comply with data use agreements but also implement robust technical safeguards to minimize breach risk and ensure compliance.

Next Steps for Your Research Program:

• Review all research data handling practices for HIPAA and HITECH compliance

• Encrypt all devices and transmission methods used for LDS

• Update DUAs to include clear security requirements and breach reporting timelines

• Train all staff and maintain documentation of training and compliance checks

By treating limited data sets with the same security rigor as fully identifiable PHI, researchers can meet HITECH’s heightened security goals, protect research subjects, and reduce the risk of breach notification obligations. 

A practical step to reinforce compliance is integrating a HITECH compliance system into your operations. These tools monitor requirements, perform ongoing risk reviews, and keep your practice prepared for audits, helping you avoid costly mistakes while presenting a proactive stance to oversight bodies.