Awareness article
Limited Data Set
What a limited data set is under HIPAA, how it differs from fully identified PHI and de-identified data, and when healthcare teams still need controls.
Short answer
A limited data set is not fully de-identified data. It excludes certain direct identifiers but can still be regulated and still requires controls and an appropriate agreement for the permitted use.
A limited data set is not fully de-identified data. It removes certain direct identifiers but still sits in a governed middle ground where the data may remain sensitive and must be handled deliberately.
Why limited data set confusion matters
Teams sometimes hear “limited” and assume “safe.” In reality, the operational question is whether the remaining fields, the purpose, and the recipient still require controls and formal handling.
Related pages
Use De-Identified Data vs PHI for the nearby concept, Google Drive if the issue is sharing exports, and /security for the broader safeguard discussion.
PHI Fundamentals
Core PHI and ePHI definitions, identifiers, edge cases, and data-classification concepts healthcare teams need before tool selection.
HIPAA and Wearable Devices: When Fitbit and Apple Watch Data Is PHI
HIPAA and wearable devices: when Fitbit, Apple Watch, and Garmin data becomes PHI, what BAA obligations arise, and how FTC rules cover gaps HIPAA doesn't.
Building a HIPAA-Compliant AI Use Policy for Your Clinic
How to build a HIPAA-compliant AI use policy for your clinic: approved tools, BAA requirements, prohibited inputs, staff training, and OCR's guidance on AI.
Sources