OK, so do you have examples of "An entity acquiring deidentified data, if they can get other data and reidentify the deidentified data, they can do whatever they want with it." actually happening, outside of academic articles?
Specifically: can I go to a data broker, today, in the US, and obtain records under my name that were derived from entirely de-identified data, that has been re-identified by the data broker?
I've been talking about legality, not what is in the wild (other people have made claims about what's happening in the wild, but some of those seem to be conflating direct release of PHI, reidentification of deidentified data, and other issues.)
> from entirely de-identified data
What do you mean by “entirely de-identified”? That sounds like you are referring to the HIPAA safe harbor option (which specifies an extensive array of things which must be completely purged), rather than the alternative HIPAA “expert certification of low risk” option. The problem is that the latter has the exact same legal effect as the former, though the only reason to ever use it is because the data isn't entirely de-identified.
The risk is with legally de-identified data, which is not restricted to entirely de-identified data.
Why does it have to be entirely re-identified data? You seem to get all of the "value" under discussion by correlating de-identified PHI with normal non-restricted non-PHI.
Specifically: can I go to a data broker, today, in the US, and obtain records under my name that were derived from entirely de-identified data, that has been re-identified by the data broker?