De-Identification Best Practices
Best practices for configuring and validating de-identification to ensure HIPAA compliance and protect patient privacy.
HIPAA Safe Harbor
Remove all 18 HIPAA identifiers:
- Names
- Dates (except year)
- Phone/fax numbers
- Email addresses
- SSN, MRN, account numbers
- IP addresses
- Biometric identifiers
- Photos
- Geographic subdivisions smaller than state
Validation
- Review sample de-identified records
- Test with known PHI examples
- Measure recall and precision
- Document validation results
Configuration
- Use conservative profiles for maximum privacy
- Test on representative data samples
- Monitor for false positives/negatives
- Regular profile updates