This is the second in a series of three articles whose focus is to assist Institutional Review Boards in providing guidance to investigators and research administrators who need to comply with data sharing requirements. This article begins with a discussion of how data are prepared for data sharing. We then proceed to the data sharing provisions of the Privacy Rule of the Health Insurance Portability and Accountability Act. (1996) Next, we turn to the topic of deindentification and show why the mere removal of names and addresses may be insufficient to deidentify data- and would, therefore, preclude data sharing under HIPAA and the National Institute of Health confidentiality provisions. An example of a reidentifcation technique is provided. The final section briefly looks at some of the elements of a risk evaluation.