Pharmacy-claims de-identification is the removal of patient and member IDs from a claims extract. It meets UK GDPR Art. 9 and DPA 2018. anonym.plus does this locally. The fill and cost fields stay; the data no longer names the policyholder.
When this applies
A claims extract ties many fills to one named member with a plan number. For analytics, you strip the IDs but keep the medicine, cost, and fill timing.
How anonym.plus handles it
- Point anonym.plus at the extract on your device.
- It scans ID columns and any free-text notes.
- Member names, plan numbers, and dates get flagged.
- Confirm the flags; the medicine and cost stay as non-IDs.
- Swap IDs with a steady map to keep row joins.
- Save the clean dataset; the source stays on your machine.
What you need to provide
- The extract as CSV, JSON, or a bundle of files.
- A column map for member and plan ID fields.
- Replace with a steady map to keep table joins.
Patient data entity types detected
| Category | anonym.plus entity type | Example |
|---|---|---|
| Names | PERSON | member_name → [MEMBER_n] |
| Identifiers | NATIONAL_ID | plan no. → [PLAN_ID] |
| Dates | DATE_TIME | fill_date → shifted [DATE] |
| Record IDs | MEDICAL_RECORD_NUMBER | claim no. → [CLAIM_ID] |
| Location | LOCATION | postcode → [POSTCODE] |
| Identifiers | NHS_NUMBER | NHS no. → [NHS_NUMBER] |
Compliance achieved
- Strips identifiers under UK GDPR Art. 9 & DPA 2018.
- Anonymisation assessed per the ICO Anonymisation Code.
- Keeps the fill and cost fields, which are not member identifiers.
Anonymise pharmacy claims offline — see plans & start free →
Limitations & cautions
A full postcode can identify a small area. Truncate it where the ICO motivated-intruder test requires. The medicine and cost stay. Test a sample before a full run, and check that date-shift keeps the gaps your analysis needs.
Frequently asked questions
Can claims stay linkable after the swap?
Yes. A steady label map swaps each ID the same way, so rows for one member still join while no real identity is left.
Are the medicine and cost fields kept?
Yes. They are not member identifiers, so they stay. Only the personal ID types are removed.
Why work locally rather than in the cloud?
Sending raw claims to a cloud tool is itself a disclosure with breach risk. Local work skips that risk; the data stays on your device.