de-identify PHI using the HIPAA Safe Harbor method by removing all 18 identifier categories

Verified steps

1. Identify all data fields in your dataset and map them against the 18 Safe Harbor identifier categories: names, geographic data smaller than state, all dates (except year) for individuals over 89, phone numbers, fax numbers, email addresses, SSNs, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying numbers or codes.
2. Remove or generalize each identified field: drop direct identifiers entirely; truncate ZIP codes to 3 digits (or suppress if the 3-digit ZIP has fewer than 20,000 people); replace full dates with year only (or remove for patients over 89).
3. Suppress any free-text fields (clinical notes, comments) or apply NLP-based named-entity recognition to detect and redact identifiers embedded in unstructured text.
4. Verify that no remaining combination of fields could reasonably identify an individual; the Safe Harbor method requires you to have no actual knowledge that the remaining information could be used to identify a person.
5. Document your de-identification process, the fields removed or transformed, and the date of de-identification to support compliance audits.
6. If using Expert Determination instead of Safe Harbor, engage a qualified statistician to apply statistical methods and document that re-identification risk is very small.