hipaa-deidentification
HIPAA De-Identification Methods — 45 CFR §164.514(a)-(b)
Overview
De-identification is the process by which protected health information (PHI) is stripped of identifying elements such that it no longer identifies an individual and there is no reasonable basis to believe it can be used to identify an individual. Under 45 CFR §164.514(a), health information that has been de-identified is no longer PHI and is not subject to the HIPAA Privacy Rule. HIPAA provides two permissible methods for de-identification: expert determination (§164.514(b)(1)) and safe harbor (§164.514(b)(2)). The choice of method depends on the nature of the data, the intended use, and the organization's risk tolerance and resources. OCR published detailed guidance on de-identification methods in November 2012 (updated September 2023), providing extensive clarification on both methods.
Legal Framework
Definition of De-Identified Information — §164.514(a)
Health information is de-identified if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. The standard is met by applying either the expert determination or safe harbor method.
Key Distinction: De-Identification vs Anonymization
HIPAA uses the term "de-identification" rather than "anonymization." De-identified data under HIPAA may still carry some theoretical re-identification risk — the standard is "no reasonable basis" to believe identification is possible, not absolute impossibility. This contrasts with GDPR's concept of anonymization, which requires irreversibility.