This post was flagged by the community and is temporarily hidden.
HIPAA provides two methods for de-identifying PHI: (i) safe harbor and (ii) expert determination.
Safe harbor is a strict set of rules and includes the age restriction you mention above.
Expert determination is more ambiguous than safe harbor. Under this method you have an expert certify that a dataset is de-identified but there are no hard/fast rules for how it must be done. It’s possible to have a dataset that is certified as de-identified through expert determination that has people with ages > 90.
Expert determination aside, the way we have done this in the past following safe harbor is to create an age variable connected to each encounter (e.g. AdmitAge) and set the age to 89 for any patient with a real age > 90. That way you have a static age variable.