The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance that seeks to address common questions about how entities can de-identify protected health information as required by the Health Insurance Portability and Accountability Act (HIPAA). The guidance provides insight into HHS' expectations for how HIPAA's rules should apply to paper and digital records. De-identification involves stripping any personal health information (PHI) from documents that could link health information to individuals. There are two methods for de-identifying data contained in HIPAA, the expert determination method and the safe harbor method. Though the guidance acknowledges that neither method is fail-safe, when PHI is de-identified using either of these methods, it may be used or disclosed without restriction under HIPAA.
More information on de-identification methods may be found here.