De-Identifying PHI For HIPAA


I have a SQL DB which contains PHI, hosted on AWS. I want to access this data to perform analytics, however, I must de-identify the data first to comply with HIPAA.

How should I approach this? I have thought of a few approaches:

  1. Simply de-identify the DB with SQL commands.
  2. From now on, every time the DB is added to, add a de-identified version of that data to another DB. Then access this DB for analytics.
  3. From now on, every time the DB is added to, add a de-identified version of that data to another table in that DB. Then access this table with SQL commands for analytics.

Which is the best approach to use to maintain compliance with HIPAA? Or, is there a better way?

Thanks!