From a summary on HHS.gov it says "De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information." Maybe someone with more knowledge could expand on the limitations of what counts as "De-Identified" but I think that might work. I followed the reference and nothing in the CFR jumps out at me, but I'm not a lawyer so who knows.
