Your team's preparing case studies for a presentation. The source charts are full of patient identifiers. Under HIPAA, you can't share them until every identifier listed in the Safe Harbor method is removed.
HIPAA redaction is a checklist exercise. Get the list right and follow it every time.
The 18 HIPAA identifiers
Safe Harbor de-identification requires removing all 18 HIPAA identifiers: names, geographic subdivisions smaller than a state, all elements of dates (except year) directly related to an individual, telephone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.
Proper redaction technique
Use redact PDF for permanent removal of each identifier. The underlying text is removed from the file, not just covered. Test by selecting in redacted regions — if anything copies out, you haven't redacted. This step alone separates compliant redaction from amateur "black rectangle" attempts that fail audit.
Watch the indirect identifiers
The 18 listed identifiers are the start. Combinations of non-listed information can still identify a patient — a rare diagnosis combined with a specific date can re-identify even after the obvious identifiers are removed. For Safe Harbor compliance, also avoid any other information you reasonably believe could be used to identify the individual.
Document the redaction
Maintain a redaction log per document — what was redacted, why, and by whom. For HIPAA, this isn't legally required for Safe Harbor de-identification but it's good practice. If a question ever arises about whether a document was properly de-identified, the log is your evidence.
When Safe Harbor isn't enough
Some research uses require Expert Determination de-identification — a qualified expert certifies the risk of re-identification is very small. This is a higher bar than Safe Harbor and may require statistical analysis beyond PDF redaction. For routine clinical and operational use, Safe Harbor is the standard.
FAQ
Can I leave year-only dates in a HIPAA-redacted document?
Yes — Safe Harbor allows year, but not month, day, or specific date elements related to the individual. Ages over 89 must be aggregated to '90 or older'.
What about photographs of patients?
Full-face photos and any comparable images are identifiers and must be removed. Generic anatomical photos with no facial features can stay if they're not otherwise identifying.
Is search-and-redact safe for names?
It's a useful starting point but verify visually. Names appear in different cases, with middle initials, in signature blocks, and in document metadata. Don't trust search alone.
Do I need a BAA with my PDF tool for HIPAA work?
If your tool is a Business Associate accessing PHI, yes. Browser-based tools that process locally may not require a BAA — assess against your organisation's privacy requirements.
HIPAA redaction is a discipline, not a one-off task. Use Flint's redact tool, work the checklist every time, and audit becomes a formality.