Developers and HIPAA

De-identification of individuals' information

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service?


Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified PHI (assuming they have been directed by the covered entity to de-identify the information in the first place)?

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)


3 votes
3 up votes
0 down votes
Question No. 11