The HIPAA Privacy Rule protects Protected Health Information (PHI) by permitting only specific uses and disclosures of PHI allowed by the Rule, or as authorized by the subject of the information. However, a covered entity may create a de-identified dataset from PHI by following the HIPAA Privacy Rule's de-identification standard. The Health Information Privacy & Compliance Office and the IRB strongly encourage the use of de-identified datasets whenever possible.
To create a de-identified dataset that meets the HIPAA de-identification standard, a specific list of identifiers and derivatives of identifiers of individuals, as well as their relatives, employers, and household members must be removed. There can be no knowledge that the remaining information can be used alone or in combination with other information to identify the individual.