Awareness article
De-Identified Data vs PHI
How de-identified data differs from PHI, why partial redaction is not enough, and what healthcare teams should verify before treating data as outside HIPAA.
Short answer
De-identified data is data that no longer identifies the individual under HIPAA's standards. Removing one obvious field is not enough if the remaining data can still point back to a person.
De-identified data is data that no longer identifies the individual under HIPAA’s de-identification standards. Removing a name alone is not enough if the remaining dates, codes, locations, or other details can still point back to a person.
Why teams misclassify de-identified data
Teams often remove one obvious field and assume the data is no longer regulated. That is risky when the record still includes dates, rare diagnoses, small geographic detail, or other combinations that can re-identify the person.
Related pages
Use Limited Data Set for the middle ground, PHI in AI Tools if the question is prompt data, and /security for the broader data-handling posture.
PHI Fundamentals
Core PHI and ePHI definitions, identifiers, edge cases, and data-classification concepts healthcare teams need before tool selection.
HIPAA and Wearable Devices: When Fitbit and Apple Watch Data Is PHI
HIPAA and wearable devices: when Fitbit, Apple Watch, and Garmin data becomes PHI, what BAA obligations arise, and how FTC rules cover gaps HIPAA doesn't.
Building a HIPAA-Compliant AI Use Policy for Your Clinic
How to build a HIPAA-compliant AI use policy for your clinic: approved tools, BAA requirements, prohibited inputs, staff training, and OCR's guidance on AI.
Sources