Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification or by removing certain pieces of information from each record as specified in the Rule.
Under the first method, unique identifying numbers, characteristics, or codes must be removed if the health information is to be considered de-identified.The Rule also allows a covered entity to enter into a data use agreement for sharing a limited data set.There are also separate provisions for how PHI can be used or disclosed for activities preparatory to research and for research on decedents' information.It is important to note that there are circumstances in which health information maintained by a covered entity is not protected by the Privacy Rule.PHI excludes health information that is de-identified according to specific standards.However, the Privacy Rule permits a covered entity to assign to, and retain with, the health information a code or other means of record identification if that code is not derived from or related to the information about the individual and could not be translated to identify the individual.
The covered entity may not use or disclose the code or other means of record identification for any other purpose and may not disclose its method of re-identifying the information.
The Privacy Rule describes the ways in which covered entities can use or disclose PHI, including for research purposes.
In general, the Rule allows covered entities to use and disclose PHI for research if authorized to do so by the subject in accordance with the Privacy Rule.
Where PHI is needed for research activities, the Privacy Rule permits its use and disclosure if certain standards are met.
These standards are discussed in the following sections.
In addition, in certain circumstances, the Rule permits covered entities to use and disclose PHI without Authorization for certain types of research activities.