[authors: M. Leeann Habte, James R. Kalyvas, Alexandre C. Nisenbaum, R. Michael Scarano Jr.]
On November 26, 2012, the Department of Health and Human Services Office for Civil Rights (OCR) released long-overdue guidance on how covered entities subject to the Health Insurance Portability and Accountability Act (HIPAA) can de-identify protected health information (PHI) for research, comparative effectiveness studies, policy assessment, life sciences research, and other secondary uses. This guidance provides responses to industry questions on the methods through which the HIPAA de-identification standard should be implemented. While providing a more detailed discussion of methodological issues associated with de-identification, this guidance falls short of establishing an approved approach to de-identification. As a result, it raises additional questions about the potential risks to a covered entity associated with release of de-identified information.