Imo the law basically says you can do this with PHI:
-De-identify it then do whatever you want with it
-use it to provide some service for the covered entity, but not for anyone else
-enter a special research contract if you want to use it slightly de-identified for some other specific purpose
One note is that the act of deidentification itself requires accessing PHI when done retroactively, this may be institutional policy or specific to covered entities but per the privacy office lawyers such access (apart from a small dataset) requires a permitted use to be accessible in order to then deidentify and use freely.
As with all things HIPAA, this only becomes a problem when HHS starts looking and Iām sure in practice many people ignore this tidbit (if in fact this is the law and not Stanford policy).
-De-identify it then do whatever you want with it -use it to provide some service for the covered entity, but not for anyone else -enter a special research contract if you want to use it slightly de-identified for some other specific purpose