We read the article Research using electronic health records: balancing confidentiality and public good by Wallis et al. with great interest. The authors note general practices need to trust de-identification processes when releasing patient records.¹ Patients have also expressed concerns about de-identification practices.² De-identification encompasses a wide range of practices, and there are no universally accepted standards.²,³ We propose here a three-step scheme for judging de-identified health records: (1) the de-identification standards used (2) the performance of the de-identification system and (3) additional security measures taken to prevent re-identification. Such a scheme may be useful to ethics committees, researchers planning a project and health providers deciding whether to participate.