De-identify FHIR resources using the Safe Harbor method for analytics use cases

Verified steps

1. Apply the HIPAA Safe Harbor de-identification standard by removing or generalizing the 18 categories of identifiers specified in 45 CFR §164.514(b)(2): names, geographic data smaller than state, dates more specific than year (except age for those over 89), phone, fax, email, SSN, MRN, health plan numbers, account numbers, certificate/license numbers, VINs, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any unique identifying number.
2. For FHIR Patient resources, remove or null-out: name, identifier[], birthDate (retain year only or convert to age band), address (retain only state/country-level), telecom[], and photo.
3. For Observation and Condition resources, generalize effective dates to year or year-month; remove any free-text fields that may contain re-identifying information (note, text.div).
4. For DocumentReference and DiagnosticReport, either remove clinical note attachments entirely or run them through a clinical NLP de-identification service before including them.
5. Invoke the FHIR server's $de-identify operation if supported, or apply transformations programmatically using a validated de-identification library; record the de-identification method applied.
6. Validate the de-identified dataset by sampling records and checking that no 18 Safe Harbor identifiers remain; document the process for your organization's privacy officer review.