The De-identification Standard
Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual.
Sections 164(b) and (c) of the Privacy rule contain the implementation specifications that a covered entity must follow to meet the de-identification standard. The Privacy Rule provides two (2) methods by which health information can be designated as de-identified.
De-identified: Information that has some or all individually identifiable health information identifiers (see “identifiers” above) removed in accordance with 45 CFR 164.514; no longer considered to be Protected Health Information.
As an alternative to using fully de-identified information HIPAA makes provisions for a “limited data set” from which direct identifiers (like name and address) have been removed, but not indirect ones (such as age). Limited data sets require data use agreement with the party to which it is provided.