Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service?
Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified PHI (assuming they have been directed by the covered entity to de-identify the information in the first place)?
Voting on Ideas
Vote for your favorite ideas by clicking on the up arrow.To undo an upvote, simply click the arrow again. This second click removes your vote.