Actually, if you read that, they aren't government mandated methods (in the technical sense) there's an option of either using a government-specified safe harbor method or getting an "expert determination" that the data is deidentified.
I should have said "there is a government mandated method, but that's not the only way" It's more of a starting point than anything else. Also if you get HIPAA audited you either have to follow the government way (easiest for broke startups) or go the expert way but that is a bit more costly to prove out.
https://www.hhs.gov/hipaa/for-professionals/privacy/special-...