45 CFR 164.514 Explained: HIPAA's Rules on De-Identification, Re-Identification, and Limited Data Sets

De-Identification Standard Overview

Under 45 CFR 164.514, health information stops being protected health information (PHI) when it no longer identifies an individual and you have no reasonable basis to believe it can identify someone. Once de-identified, the HIPAA Privacy Rule no longer applies to that data.

For covered entity compliance, your policies should make clear who may create de-identified data, how you document your method, and how you verify the “no reasonable basis” standard is met. If you rely on Safe Harbor, you must also confirm you have no actual knowledge that the remaining data could identify a person.

Because de-identified data is not PHI, accounting of disclosures obligations do not apply to it. However, any process that uses PHI to produce de-identified outputs still requires appropriate protected health information safeguards until de-identification is complete.

De-Identification Methods Explained

Expert determination method

With expert determination, a qualified expert applies generally accepted statistical or scientific principles to conclude the risk of re-identification is “very small” for the anticipated recipient. You must keep documentation of the expert’s methods and results. The approach supports flexible techniques such as generalization, suppression, and controlled perturbation while preserving data utility.

Institutional Review Board review is not required by HIPAA for de-identification, but your organization or the Common Rule may still call for IRB involvement in certain research contexts. Plan for this early to avoid project delays.

Safe Harbor identifiers

With Safe Harbor, you remove specific data elements and ensure you have no actual knowledge the remaining data can identify an individual. You must delete these 18 Safe Harbor identifiers for the individual and their relatives, employers, or household members:

• Names
• All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent geocodes), except the initial three ZIP digits when the combined area has more than 20,000 people; otherwise use 000
• All elements of dates (except year) for dates directly related to an individual, and all ages over 89 (aggregate as “age 90 or older”)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., finger and voice prints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code, except as permitted for re-identification codes

Safe Harbor is deterministic and straightforward to audit. Use it when you need a bright-line approach and can tolerate the loss of detail from removing these identifiers.

Re-Identification Code Implications

HIPAA allows you to assign a re-identification code so the covered entity can later link de-identified records back to individuals if needed. The code must not be derived from or related to information about the individual and must not be otherwise translatable to identity. You also may not disclose the mechanism (e.g., key, algorithm) that enables re-identification, and you may not use or disclose the code for any other purpose.

Practically, choose a random, non-derivative token (for example, a secure random ID stored in a separate lookup table). Avoid codes derived from identifiers such as hashing a Social Security number under Safe Harbor. If you pursue a derived tokenization scheme (e.g., keyed hashing) to support linkage across datasets, do so under the expert determination method with strong key controls and without disclosing the re-identification mechanism to recipients.

Limited Data Set Definition and Uses

A limited data set (LDS) is still PHI. It excludes direct identifiers (like names, full addresses, phone numbers, and full-face photos) but may retain certain details that Safe Harbor would remove—such as dates (e.g., dates of service) and general geography (city, state, ZIP). This balance often preserves analytic value for research, public health, and health care operations.

Permitted uses of an LDS are limited to research, public health activities, and health care operations. Before disclosure, you must have a compliant data use agreement (DUA) with the recipient. The minimum necessary standard and appropriate PHI safeguards still apply throughout the data lifecycle.

Accounting of disclosures obligations do not apply to disclosures of PHI that are part of a limited data set made under a DUA. Even so, maintain an internal inventory of DUAs and recipients to support oversight and audit readiness.

Data Use Agreement Requirements

Your DUA must set clear boundaries for how the recipient uses and protects the LDS. At minimum, it must:

• Specify permitted uses and disclosures consistent with research, public health, or operations
• Identify who is permitted to use or receive the LDS
• Require the recipient not to use or further disclose the LDS except as permitted or required by law
• Require appropriate safeguards to prevent unauthorized uses or disclosures
• Require prompt reporting to the covered entity of any non-permitted use or disclosure
• Bind agents and subcontractors to the same restrictions and conditions
• Prohibit re-identifying the information or contacting individuals

Compliance and enforcement

If you know a recipient engages in a pattern of material noncompliance, you must take reasonable steps to cure it or end the violation. If unsuccessful, you must stop disclosing PHI to that recipient and report the issue to regulators as required. Build these steps into your data use agreement provisions and your incident response playbook.

Re-Identification Risk Management

Even after de-identification or creation of an LDS, re-identification risk is never zero. A pragmatic program blends technical, administrative, and contractual controls to keep risk “very small.”

Technical controls

• Adopt suppression and generalization rules; consider k-anonymity, l-diversity, or t-closeness where appropriate under expert determination
• Review quasi-identifiers (e.g., rare diagnoses, fine-grained locations) and adjust cell-size thresholds for small cohorts
• Monitor linkage risk against reasonably available external data

Administrative and contractual controls

• Limit access to datasets on a need-to-know basis and log all disclosures
• Use DUAs that prohibit re-identification and onward sharing, and mandate protected health information safeguards
• Align with Institutional Review Board review where required by your institution or other applicable regulations

Operational practices

• Continuously re-evaluate risk when data, recipients, or public data sources change
• Train teams on Safe Harbor identifiers, expert determination criteria, and re-identification code rules
• Keep documentation for expert determinations and any transformations applied

Combining Data Use and Business Associate Agreements

Whether a recipient is a business associate depends on what it does. If a party performs functions or services for you that involve PHI (e.g., analytics supporting your operations), it is a business associate and needs a BAA. If you disclose an LDS solely for the recipient’s independent research or public health work, the recipient typically is not your business associate and a DUA alone may suffice.

To streamline compliance where both roles apply, you may combine a DUA and a business associate agreement into a single instrument, provided it fully satisfies both sets of requirements. If you engage a business associate to create the limited data set for you, ensure the BAA covers that work and the downstream DUA governs the recipient’s subsequent use.

Conclusion

45 CFR 164.514 gives you two clear paths to de-identification and a practical middle ground with limited data sets. Choose the method that fits your use case, document your approach, and back it with strong safeguards, well-drafted agreements, and ongoing risk monitoring. Done well, you can unlock data utility while maintaining compliance and trust.

FAQs.

What methods are allowed for de-identification under 45 CFR 164.514?

Two methods are permitted: expert determination (a qualified expert documents that re-identification risk is very small) and Safe Harbor (you remove the 18 specified identifiers and have no actual knowledge the remaining data could identify someone). Either path, when properly applied, produces data that is no longer PHI.

How does a limited data set differ from fully de-identified data?

A limited data set is still PHI and requires a data use agreement. It may include dates and general geography (city, state, ZIP) and other quasi-identifiers, but it must exclude direct identifiers like names and full addresses. Fully de-identified data falls outside HIPAA; it requires no DUA and is not subject to HIPAA’s accounting of disclosures or minimum necessary rules.

What are the requirements of a data use agreement for limited data sets?

Your DUA must set permitted uses/disclosures; identify who may use or receive the data; require safeguards; require reporting of any non-permitted use/disclosure; bind agents to the same terms; and prohibit re-identification and contacting individuals. You must stop disclosures and take corrective steps if you learn of material noncompliance.

Can re-identification codes be used without IRB approval?

Yes. HIPAA expressly permits re-identification codes so the covered entity can link de-identified records later, without needing IRB approval. The code cannot be derived from or related to the individual, and you may not disclose the re-identification mechanism. Separate from HIPAA, your institution or the Common Rule may still require IRB review depending on the research design.