Safe Harbor ain’t gonna cut it
There are two ways to deidentify data to satisfy HIPAA:
- Safe Harbor, 164.514(b)(2), and
- Expert Determination, 164.514(b)(1).
And for reasons explained here, you may need to be concerned with HIPAA even if you're not a "covered entity" under the statute.
To comply with Safe Harbor, your data may not contain any of eighteen categories of information. Most of these are obvious: direct identifiers such as name, phone number, email address, etc. But some restrictions under Safe Harbor are less obvious and more difficult to comply with.
For example, under Safe Harbor you need to remove
All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
This would make it impossible, for example, to look at seasonal trends in medical procedures because you would only have data to the resolution of a year. But with a more sophisticated approach, e.g. differential privacy, it would be possible to answer such questions while providing better privacy for individuals. See how here.
If you need to comply with HIPAA, or analogous state laws such as TMPRA, and you can't follow Safe Harbor, your alternative is expert determination. If you'd like to discuss expert determination, let's talk.