<Dd> 2 . Obtain the expertise of an experienced statistical expert to validate and document the statistical risk of re-identification is very small (Statistical Method). </Dd> <P> De-identified data is coded, with a link to the original, fully identified data set kept by an honest broker . Links exist in coded de-identified data making the data considered indirectly identifiable and not anonymized . Coded de-identified data is not protected by the HIPAA Privacy Rule, but is protected under the Common Rule . The purpose of de-identification and anonymization is to use health care data in larger increments, for research purposes . Universities, government agencies, and private health care entities use such data for research, development and marketing purposes . </P> <P> In general, US law governing PHI applies to data collected in the course of providing and paying for health care . Privacy and security regulations govern how healthcare professionals, hospitals, health insurers and other Covered Entities use and protect the data they collect . It is important to understand that the source of the data is as relevant as the data itself when determining if information is PHI under U.S. law . For example, sharing information about someone on the street with an obvious medical condition such as an amputation is not restricted by US law . However, obtaining information about the amputation exclusively from a protected source, such as from an electronic medical record, would breach HIPAA regulations . </P> <P> Covered Entities often use third parties to provide certain health and business services . If they need to share PHI with those third parties, it is the responsibility of the Covered Entity to put in place a Business Associate Agreement that holds the third party to the same standards of privacy and confidentiality as the Covered Entity . </P>

Protected health information refers to which of the following