When is de-identification sufficient to avoid using PHI in research under HIPAA?

• A. De-identification is optional for all data.
• B. De-identification guarantees that data cannot be re-identified under any circumstance.
• C. De-identification removes or masks identifiers, making PHI no longer present, allowing research use without authorization.
• D. De-identification means encrypting identifiers but keeping PHI.

Answer: (C)

De-identification removes or masks the identifying elements that tie data to a specific person, so the information no longer constitutes PHI. Under HIPAA, you can use de-identified data for research without obtaining patient authorization if the data meet approved standards (either the safe harbor method—removing 18 identifiers—or an expert determination confirming there’s no reasonable way to identify individuals). When done properly, the data are not PHI, which means researchers can use them without the HIPAA authorization step.

That’s why the best choice is the one that states de-identification removes identifiers and makes PHI no longer present, enabling research use without authorization. Encryption alone, or keeping PHI while just encrypting identifiers, does not meet de-identification standards. De-identification isn’t optional, and it doesn’t guarantee there’s no possibility of re-identification in every circumstance.