Comments: One commenter wanted to know if the rule requires that covered entities retain the ability to re-identify de-identified information.
Response: The rule does not require covered entities to retain the ability to re-identify de-identified information, but it does allow them to retain this ability.
Comments: A few commenters asked us to prohibit anyone from re-identifying de-identified health information.
Response: We do not have the authority to regulate persons other than covered entities, so we cannot affect attempts by entities outside of this rule to re-identify information. Under the rule, we permit the covered entity that created the de-identified information to re-identify it. However, we include a requirement that, when a unique record identifier is included in the de-identified information, such identifier must not be such that someone other than the covered entity could use it to identify the individual (such as when a derivative of the individual's name is used as the unique record identifier).