HIPAA Policy Section 4.13: De-identified Information
De-identified Information shall not be subject to the protections and rights set forth in this Manual, but an identifying code shall be.
4.13(1) De-identified Information Is Not PHI
For all purposes, De-identified Information is not PHI and therefore shall not be subject to this Manual as PHI, provided that Subsection 4.13(2) of this Section is not violated.
4.13(2) Use of Identifying Code for Re-identification
If System creates De-identified Information, System may assign a code (or other means of record identification) to allow such information to be re-identified by System, provided that such code is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual. System shall not Use or Disclose such code, except that System may Use or Disclose to a Business Associate such code in order to re-identify the De-identified Information for purposes consistent with this Manual. Disclosure of a code must be approved by the Privacy Officer.
45 C.F.R. §§ 164.502(d)(2), 164.514(a)-(c)