Question 25
UnclassifiedWhich statement about de-identified data is most accurate in U.S. privacy practice?
Correct answer: B
Explanation
U.S. privacy practice treats data as de-identified only when it is no longer reasonably linkable to an individual, meaning the risk of re-identification has been adequately addressed. This matches the core standard that de-identification depends on reducing the chance that the data can be linked back to a person.
Why each option is right or wrong
A. Data is de-identified whenever direct identifiers are removed, regardless of reidentification risk
B. Data can be treated as de-identified only if the risk of linking it back to a person is adequately addressed
Under the HIPAA Privacy Rule, data are not treated as de-identified unless the covered entity removes the identifiers listed in 45 C.F.R. § 164.514(b)(2) or obtains expert determination under § 164.514(b)(1) that the risk of re-identification is very small. The standard is therefore not mere masking or anonymization in name only; the linkage risk must be sufficiently reduced so the information is no longer reasonably identifiable to a person.
C. De-identified data may never be used for analytics
D. De-identified data automatically becomes public information