Skip to main content
Compliance Program

Compliance Program

Limited Datasets

Data use agreement

  • A limited data set is protected health information that excludes certain identifiers but permits the use and disclosure of more identifiers than in a de-identified data set. In particular, the limited data set allows the inclusion of all dates, 5 digit ZIP codes, and city as indirect identifiers.
  • A limited data set may be used only for the purposes of research, public health, or health care operations.
  • UC Davis Health System may use or disclose limited data set information only if it enters into a valid data use agreement.
  • The following identifiers must be excluded from a limited data set (for individual, relatives, employers, and household members):
    • Names
    • Postal address information, other than town or city, state, and ZIP code
    • Telephone numbers
    • Fax numbers
    • Electronic mail addresses
    • Social security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial numbers, including license plate numbers
    • Device identifiers and serial numbers
    • Web Universal Resource Locators (URLs)
    • Internet Protocol (IP) address numbers
    • Biometric identifiers, including finger and voice prints
    • Full face photographic images and any comparable images.
  • A limited data set can include a link field to allow the covered entity to re-identify the individual. The link field for a limited data set can be derived from the direct identifiers. For example, Initials + sequence number is a valid link field, as is an encrypted SSN.
  • The limited data set is subject to the minimum necessary section of HIPAA.
  • The limited data set is not subject to disclosure accounting.
  • UC Davis Health System has developed a model data use agreement to be used whenever it intends to disclose protected health information for research, public health, or health care operations. In order to protect protected health information to the greatest extent possible, the use and disclosure of the protected health information may be limited by the purpose statements in the data use agreement.
  • If an outside entity creates the limited data set, it must first sign a business associate agreement with UC Davis Health System.
  • If a UC employee creates the limited data set, that employee, will, for that purpose, be a member of the UC Davis Health System workforce, and shall complete appropriate HIPAA training and follow applicable UC Davis Health System policy regarding health information.

The data use agreement must be filled out and signed by recipient. It also must be signed by UC Davis Health System contracts director Annie Wong ( (916) 734-8808). 

The data use agreement:

  • lists the permitted uses and disclosures
  • establishes who is permitted to use or receive data
  • provides that the researcher will not use or further disclose the information other than as permitted by the agreement or as required by law
  • requires appropriate safeguards to prevent unpermitted use or disclosure
  • requires a report to the Health System of any unpermitted uses or disclosures
  • requires that any agents to whom the investigator provides the data agrees to the same restrictions and conditions
  • prohibits recipients from identifying the information or contacting the individuals.