HIPAA Privacy Program Guidance:
Human Subjects Research and HIPAA
Page 3 of 5
HIPAA Privacy Program
v. 2016
identified, this limited amount of PHI consisting of certain geographic data and
dates may be adequate for a broader array of research studies than completely
De-Identified data.
• A Limited Data Set contains PHI that is nearly de-identified. A Limited Data Set
may NOT include any of the direct identifiers listed under the HIPAA definition of
De-Identified health information (see HIPAA Privacy Program Form Q) EXCEPT the
following:
o State, county, city, town, census track, precinct, zip code or any other
geocodes above the level that would identify an individual household;
and/or
o All elements of dates directly related to an individual, including birth date,
admission date, discharge date, dates of health care procedures or other
services, and date of death.
• The Limited Data Set must exclude ALL OTHER direct identifiers listed in HIPAA
Privacy Program Form Q:
(http://rgw.arizona.edu/sites/researchgateway/files/q_is_it_phi.pdf).
• A Limited Data Set may be used or disclosed only if there is a Data Use Agreement
between the entity providing the data and the recipient of the limited data set. A
researcher should contact the HIPAA Privacy Program if he/she needs or receives
a Data Use Agreement for a Limited Data Set.
• A researcher may find the need to access full PHI in order to abstract from that a
Limited Data Set for research use. Because this abstraction activity requires
access to PHI, a researcher may ONLY engage in this abstraction activity under the
following circumstances:
o The researcher must have an IRB waiver of authorization; or
o In addition to a Data Use Agreement, the researcher must enter into a
Business Associate Agreement with the Covered Entity to create the
Limited Data Set on the covered entity’s behalf for the researcher’s use.
IMPORTANT: Contact the HIPAA Privacy Program for assistance in this
situation.
4. Access to PHI solely for Preparation for Research
• Researchers may access PHI in the records of Covered Entities without an
Authorization or IRB Waiver of Authorization for the purposes of development of
a research protocol or assessment of feasibility of a research protocol, provided
that the researcher documents to the satisfaction of the Covered Entity’s PHI data
custodian (e.g. the medical records manager) that all the following criteria are