The HITECH Act modifies the HIPAA Privacy Rule requirement so that covered entities will be complying if the PHI access, use, and disclosure are limited to either the minimum necessary or a "limited data set." The HIPAA Privacy Rule previously required that access to and disclosure of protected health information (PHI) be limited to the minimum necessary, with some exceptions, such as for treatment.
The Privacy Rule does permit a covered entity to use and disclose PHI in a limited data set. This can be done without the individual authorization for research, public health, and the covered entity's healthcare operations. A limited data set must not include any direct identifiers for the individual, relatives, household members, or employers, including name, address, telephone, fax, e-mail, social security number, full-face photos, certificate/license number, vehicle identifiers, and serial numbers, and URLs and IP addresses.