HIPAA explicitly allows for the de-identification of PHI and prescribes two methods to carry it out Following these methods, de-identified data is no longer PHI and HIPAA does not govern how it is used or where it is shared.
The two methods HIPAA defines for de-identification of PHI are:
HIPAA also allows for the re-identification of de-identified data. The means, or any unique coding or algorithms, used to re-identify data cannot be shared. If those are shared, it is a violation of HIPAA. In essence, the means of re-identification needs to be handled like PHI.
Business associates, increasingly technology companies that support covered entities, cannot de-identify data unless it is explicitly allowed in business associate agreements. This is often a point of contention in negotiations between technology companies and covered entities.
There are prescribed methods to de-identify PHI and, once data is de-identified, HIPAA does not apply anymore. If you’re a business associate, check your BAA.