HIPAA de-identification under 45 CFR §164.514(b) requires removing 18 specific categories of Protected Health Information (PHI). Every cloud-based de-identification tool creates a data transmission risk — and a potential Business Associate Agreement (BAA) obligation. anonym.plus eliminates both: all PHI processing happens locally on your machine, and the tool is not a Business Associate under HIPAA.
HIPAA De-Identification: Two Approved Methods
The HIPAA Privacy Rule (45 CFR §164.514) specifies two compliant de-identification approaches:
Safe Harbor Method (§164.514(b))
Remove all 18 enumerated identifier categories AND have no actual knowledge that the remaining information could be used to identify an individual. This is a checklist-based approach requiring no statistical expertise.
Expert Determination Method (§164.514(a))
A qualified statistical or scientific expert applies generally accepted principles to certify that the risk of identifying an individual is very small. More flexible — allows retention of some identifiers if the statistical analysis supports it. Requires documented expert justification.
For most organizations, Safe Harbor is the practical choice. It provides a clear, defensible compliance standard without requiring statistical expertise for each dataset.
The 18 HIPAA Safe Harbor Identifiers
All 18 categories must be removed for Safe Harbor de-identification:
| # | Identifier Category | anonym.plus Detection |
|---|---|---|
| 1 | Names | ✓ PERSON entity type |
| 2 | Geographic data smaller than state (address, ZIP code, geocodes) | ✓ LOCATION, STREET_ADDRESS, US_ZIP entities |
| 3 | Dates (except year) related to individuals — admission, discharge, DOB, death date | ✓ DATE_TIME entity type |
| 4 | Phone numbers | ✓ PHONE_NUMBER |
| 5 | Fax numbers | ✓ PHONE_NUMBER (includes fax) |
| 6 | Email addresses | ✓ EMAIL_ADDRESS |
| 7 | Social Security Numbers | ✓ US_SSN |
| 8 | Medical record numbers | ✓ MEDICAL_LICENSE, custom entity support |
| 9 | Health plan beneficiary numbers | ✓ US_ITIN, custom entity |
| 10 | Account numbers | ✓ IBAN_CODE, CREDIT_CARD, custom entity |
| 11 | Certificate/license numbers | ✓ MEDICAL_LICENSE, custom regex entities |
| 12 | Vehicle identifiers and serial numbers | ✓ Custom entity (regex pattern) |
| 13 | Device identifiers and serial numbers | ✓ Custom entity (regex pattern) |
| 14 | Web URLs | ✓ URL entity type |
| 15 | IP addresses | ✓ IP_ADDRESS |
| 16 | Biometric identifiers (fingerprints, voice prints) | ✓ OCR-based text detection for labeled biometric references |
| 17 | Full-face photographs and comparable images | ✓ Image mode: OCR detects labeled photo references in documents |
| 18 | Any other unique identifying number, characteristic, or code | ✓ Custom entities: define regex patterns for facility-specific identifiers |
Why No Business Associate Agreement is Required
A HIPAA Business Associate is defined at 45 CFR §160.103 as a person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity. The critical word is transmits.
anonym.plus processes PHI entirely on your local machine. No PHI is created, received, maintained, or transmitted by anonym.plus or any third party. The NLP engine (Presidio + spaCy) runs as a local process. No document content reaches any network endpoint.
Because anonym.plus never handles PHI on your behalf — it only provides software that runs locally — it is not a Business Associate under 45 CFR §160.103. No BAA is required, available, or applicable.
See the Healthcare use case in detail. Healthcare anonymization use case →
Frequently Asked Questions
What are the 18 HIPAA Safe Harbor identifiers?
Names; geographic subdivisions below state; dates (except year); phone numbers; fax numbers; email addresses; SSNs; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers; device identifiers; URLs; IP addresses; biometric identifiers; full-face photos; any other unique identifying code. All must be removed for Safe Harbor de-identification.
Does using anonym.plus require a HIPAA BAA?
No. anonym.plus is not a Business Associate (45 CFR §160.103) because it does not create, receive, maintain, or transmit PHI. All processing is local. No PHI leaves your device. No BAA is required or offered.
Does anonym.plus cover all 18 HIPAA Safe Harbor identifiers?
Yes. Built-in entity types cover identifiers 1–11, 14–15. Custom entity types (up to 50) with regex patterns cover identifiers 12–13, 18. Image mode with OCR covers document-embedded photo and biometric references. Review the detected entities table above for full mapping.