Originally published in Law360 on November 29, 2012

The U.S. Department of Health and Human Services recently affirmed the validity of the current methods for scrubbing patient records of identifying data under existing medical privacy law, a move that forces health care companies to thoroughly strip records of even seemingly innocuous forms of personal information, attorneys say.

In order to comply with a 2009 congressional mandate, HHS' Office of Civil Rights on Monday published long-awaited guidance on how health insurers, clearinghouses and medical providers can satisfy the two methods for data de-identification contained within the privacy rule of the Health Insurance Portability and Accountability Act, which was established in 2000. Companies benefit from the de-identification process because the use and disclosure of this type of data is exempt from HIPAA regulations and can be used for medical research and other general purposes.