Skip to main content

User Guide

Setting HIPAA Privacy Rules

This section describes how to use the Generalize Date rule to de-identify a dataset containing details about the age of individuals, such that it is compliant with HIPAA Privacy Rules.

To be compliant with HIPAA Privacy Rules following the Safe Harbor method, an Individual’s Age and Date data must be de-identified following HIPAA guidelines. In summary, the guidelines are:

  • If a person is under the age of 90 their date of birth needs to be generalized to only show the year. If the person is 90 or older then the date of birth needs to be generalized to only show that they are 90 or older.

For more information about de-identification requirements for patient data, refer to the HIPAA Safe Harbor field requirements.

In Privitar, the HIPAA requirement to de-identify a dataset so that it is compliant with the HIPAA Privacy rule for an Individual’s Age and Date, can be achieved using the Generalize Date rule. This rule can be used replace a date with a constant date, if the input date is outside of a user-defined date range.

The date-range can be specified as an Absolute date or as a Relative date. The default input date format is yyyy-MM-dd.

For more information about the options available for use with the Generalize Date rule, see Generalize Date.

Setting the HIPAA Privacy Rule

To set the HIPAA Privacy Rule in Privitar, configure the Generalize Date rule as follows:

  • Generalization Behavior - set to 01-01-Original value

  • Masking Behavior - set to either Absolute date or Relative date:

    • Absolute date:

      • Set constant before a date.

        If date is before, 1930-12-11, set date to 1930-01-01,

      • Set constant after a date.

        Do not set.

    • Relative date:

      • Set constant before a date.

        If date is, 90 years before today, set date to 1930-01-01,

Setting the HIPAA Privacy Rule in the API

The following JSON file shows how to set the HIPAA Privacy Rule in Privitar using an Absolute date. In this example, the Absolute date is set to 1930-12-18. That is, 90 years earlier than the date, 2020-12-18. Dates later than this are generalized to <Original-value>-01-01:

{
  "team": {
	"id": "031c4fd3"
  },
  "name": "hipaa",
  "type": "GENERALIZE_DATE",
  "properties": {
	"minDate": "1930-12-18",
	"minDateReplacement": "1930-01-01",
	"generalizedMonthReplacement": 1,
	"generalizedDayReplacement": 1
  }
}

The following JSON file shows how to set the HIPAA Privacy Rule in Privitar using a Relative date. In this example, the Relative date is set to 90 years (minDateDelta and deltaUnit). That is, 90 years earlier than the current date. Dates later than this are generalized to <Original-value>-01-01:

{
  "team": {
	"id": "031c4fd3"  
  },  
  "name": "hipaa",
  "type": "GENERALIZE_DATE",
  "properties": {
	"minDateDelta": "90",
	"deltaUnit": "years",
	"minDateReplacement": "1930-01-01",
	"generalizedMonthReplacement": 1,
	"generalizedDayReplacement": 1  
  }
}
In this section: