Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: General Rules for Uses and Disclosures of Protected Health Information -- Creation of De-identified Information - § 164.502(d)

    As Contained in the HHS HIPAA Privacy Rules

     

    HHS Regulations
    Creation of De-identified Information - § 164.502(d)

     

    (d) Standard: Uses and disclosures of de-identified protected health information—(1) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.

    (2) Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that:

    (i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and

    (ii) If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart.

     

    HHS Description
    General Rules for Uses and Disclosures of Protected Health Information -- Creation of De-identified Information

     

    In proposed § 164.506(d) of the NPRM, we proposed to permit use of protected health information for the purpose of creating de-identified information and we provided detailed mechanisms for doing so.

    In § 164.502(d) of the final rule, we permit a covered entity to use protected health information to create de-identified information, whether or not the de-identified information is to be used by the covered entity. We clarify that de-identified information created in accordance with our procedures (which have been moved to § 164.514(a)) is not subject to the requirements of these privacy rules unless it is re-identified. Disclosure of a key or mechanism that could be used to re-identify such information is also defined to be disclosure of protected health information. See the preamble to § 164.514(a) for further discussion.

     

    HHS Response to Comments Received
    General Rules for Uses and Disclosures of Protected Health Information -- Creation of De-identified Information

     

    Comments on the requirements for de-identifying information are addressed in the preamble to § 164.514(a)-(c).