De-identified data exception in HIPAA poses a litigation risk