Wouldn't the entities you're describing be Health Clearinghouses?

"""Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “valueadded” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity."""

My read is that the entities I'm describing would fall under this. If you can point to a specific example which you believes violates this (not an anecdote, I'm talking about investigative journalism or a court case or an academic with credentials in this area), I'd love to hear about it.

> Wouldn't the entities you're describing be Health Clearinghouses?

No, a clearinghouse is (to summarize the definition you posted from the regs) an intermediary between providers and/or payers in handling transactions for which standards exist under HIPAA.

They receive PHI in either standard or nonstandard forms, transform it to or from standard forms if necessary and transmit it on; it'd PHI the whole time through that function.

An entity acquiring deidentified data (which is explicitly not PHI under HIPAA, that's the whole point of deidentification) is not (for that reason) a clearinghouse, and if they can get other data and reidentify the deidentified data, they can do whatever they want with it.

The theory of deidentification is that the risk of this is minimal (indeed, other than scrubbing virtually everything that could possibly be used to reassociate the data, the only way for PHI to be deidentified is to get a notionally-qualified expert to certify a very low risk of reidentification.)

The problem is that all such certifications are based on a faulty premise: if data is not completely scrubbed so that reidentification without having essentially the equivalent to the original PHI is impossible, the risk of reassociation is almost never very low, because the process is automatable and the marginal cost is near zero.

OK, so do you have examples of "An entity acquiring deidentified data, if they can get other data and reidentify the deidentified data, they can do whatever they want with it." actually happening, outside of academic articles?

Specifically: can I go to a data broker, today, in the US, and obtain records under my name that were derived from entirely de-identified data, that has been re-identified by the data broker?

I've been talking about legality, not what is in the wild (other people have made claims about what's happening in the wild, but some of those seem to be conflating direct release of PHI, reidentification of deidentified data, and other issues.)

> from entirely de-identified data

What do you mean by “entirely de-identified”? That sounds like you are referring to the HIPAA safe harbor option (which specifies an extensive array of things which must be completely purged), rather than the alternative HIPAA “expert certification of low risk” option. The problem is that the latter has the exact same legal effect as the former, though the only reason to ever use it is because the data isn't entirely de-identified.

The risk is with legally de-identified data, which is not restricted to entirely de-identified data.

Why does it have to be entirely re-identified data? You seem to get all of the "value" under discussion by correlating de-identified PHI with normal non-restricted non-PHI.