The Statement That Trips Up Even Experienced Compliance Officers

Here's a question I've watched rooms full of healthcare professionals get wrong: Is de identified health information subject to the Privacy Rule? The majority raise their hands and say yes. They're wrong — and that misunderstanding has real consequences.

Properly de-identified health information is not subject to the HIPAA Privacy Rule. Once data has been stripped of the 18 identifiers specified by HHS — or an expert has statistically certified it can't be traced back to an individual — it's no longer considered protected health information (PHI). That means a covered entity can use it, share it, and analyze it without Privacy Rule restrictions.

But here's the catch I've seen trip up dozens of organizations: the de-identification has to be done correctly. If you cut corners, you're handling PHI without safeguards — and OCR won't care that you thought you'd de-identified it.

What De-Identification Actually Means Under HIPAA

Section 164.514 of the Privacy Rule lays this out with unusual clarity. Health information is de-identified when there is no reasonable basis to believe the information can identify an individual. HHS provides exactly two paths to get there.

The Safe Harbor Method: Remove All 18 Identifiers

This is the approach most organizations try first. You strip out 18 specific categories of identifiers from the data set. Names, dates (except year for individuals over 89), phone numbers, email addresses, Social Security numbers, medical record numbers, device identifiers — the full list is detailed in HHS's guidance on de-identification.

You also have to confirm that the remaining information could not be used — alone or in combination — to identify a person. This second part is where most failures happen. I've reviewed data sets where organizations removed names and dates but left in a three-digit zip code, a rare diagnosis, and an age. In a rural county with 800 residents, that combination is a flashing neon sign pointing at one person.

The Expert Determination Method: Statistical Certification

The second path requires a qualified statistician to apply generally accepted statistical and scientific principles and determine that the risk of identifying any individual is "very small." The expert must document their methods and results.

This route is more flexible — you may be able to keep certain data elements the Safe Harbor method would force you to remove — but it's also more expensive and requires genuine statistical expertise. I've seen organizations hire someone with a master's degree in public health and call it expert determination. That won't hold up if OCR comes knocking.

Why "De Identified Health Information Is Subject to the Privacy Rule" Is a Trick Statement

Let me be direct about why this question appears on workforce training exams and certification tests: it's designed to test whether you understand the boundary of the Privacy Rule's jurisdiction.

The statement "de identified health information is subject to the Privacy Rule" is false. Once information qualifies as de-identified under either the Safe Harbor or Expert Determination method, the Privacy Rule simply does not apply to it. The data is no longer PHI. It's no longer ePHI. A covered entity or business associate can use it without authorization, without minimum necessary analysis, and without breach notification obligations.

This distinction matters enormously for research institutions, health systems running analytics programs, and any organization sharing data with third parties. Understanding it correctly is a core competency for your workforce — and it's covered in depth in our HIPAA training catalog.

The Re-Identification Trap That Creates Liability

Here's what I've seen go sideways in practice. An organization de-identifies a data set. Checks all the boxes. Ships it to a research partner or a vendor. Then the recipient combines that data with other publicly available information — voter rolls, social media profiles, commercial data brokers — and suddenly individuals are identifiable again.

The Privacy Rule addresses this. Section 164.514(c) prohibits a covered entity from using a code or other means of record identification that could re-identify the information. If you assign a re-identification key — a code that links back to the original patient — you must not disclose that key to the recipient of the de-identified data.

Violating this provision means the data was never truly de-identified in the first place. And that means you just disclosed PHI without authorization.

The Distinction Between "De-Identified" and "Limited Data Sets"

I frequently see organizations confuse these two concepts. A limited data set still contains some identifiers — dates, geographic information at the city or zip code level, ages. It is subject to the Privacy Rule and requires a data use agreement under Section 164.514(e).

De-identified data requires no data use agreement because the Privacy Rule doesn't govern it. If your data set includes any of the 18 identifiers and you haven't gone through expert determination, you're working with a limited data set at best — and full PHI at worst.

Real Enforcement: When De-Identification Claims Didn't Hold Up

OCR has not issued a blockbuster settlement specifically labeled as a de-identification failure. But several major enforcement actions involved organizations that claimed data was de-identified or anonymized when it wasn't.

In 2018, the University of Texas MD Anderson Cancer Center lost its appeal of $4.3 million in penalties related to unencrypted ePHI on stolen devices. Part of the institution's defense involved arguments about the nature of the data on those devices. The administrative law judge wasn't persuaded. When data retains identifiers or can be linked back to individuals, it's PHI — period. You can review OCR's enforcement results on the HHS breach enforcement page.

The lesson: claiming data is de-identified doesn't make it so. OCR looks at what's actually in the data, not what your internal memo calls it.

Five Steps to Get De-Identification Right in Your Organization

  • Inventory your data flows. Know exactly which data sets leave your organization and what identifiers they contain.
  • Choose your method deliberately. Safe Harbor is simpler but more restrictive. Expert Determination is flexible but requires real expertise. Don't default — decide.
  • Document everything. If you use Safe Harbor, document the removal of each of the 18 identifier categories. If you use Expert Determination, keep the expert's written certification and methodology.
  • Separate re-identification keys. If you maintain a code that could link de-identified data back to individuals, lock it down. Never share it with the data recipient.
  • Train your workforce. Everyone who touches data — analysts, researchers, IT staff, administrators — needs to understand what de-identification requires. Our HIPAA workforce training courses cover this with scenario-based exercises.

The Question Your Compliance Team Should Ask Today

Walk into your analytics department or your research office and ask one question: "Show me how we de-identified this data set." If the answer is vague — "We removed names" or "The vendor handles that" — you have a gap.

Proper de-identification is a process with documentation requirements. It's not a label you slap on a spreadsheet. Under the Privacy Rule's framework at 45 CFR Part 164, Subpart E, the standards are specific and auditable.

The Bottom Line on De-Identified Data and the Privacy Rule

Properly de-identified health information is not subject to the Privacy Rule. That's the correct answer. But "properly" is doing an enormous amount of work in that sentence.

If your organization shares data externally, runs research programs, or works with analytics vendors, the de-identification question isn't academic. It's the difference between a compliant data-sharing arrangement and an unreported breach of PHI.

Get the process right. Document it. Train your people. And never assume that removing a few columns from a spreadsheet means you've met the standard HHS set out. Because if OCR ever reviews your data practices, they'll look at what's in the data — not what you called it.

Explore our full HIPAA training catalog to find courses that cover de-identification, the Privacy Rule, and PHI handling for every role in your organization.