Philterd

Talk to an Expert

Tell us about your stack and the privacy problems you're trying to solve. We typically respond within one business day.

Prefer to skip the form? Pick a time on our calendar →
or send a message

← All posts

Automating HIPAA Safe Harbor: A Blueprint for Healthcare Data Pipelines

By Philter · Redaction

For healthcare CTOs and Data Protection Officers, HIPAA Safe Harbor de-identification — 45 CFR § 164.514(b)(2) — sounds simple on paper. Remove 18 specific identifier categories, and the resulting dataset is no longer considered Protected Health Information (PHI). You can share it for research, train AI on it, or move it into less-restricted infrastructure.

In practice, mechanically enforcing those 18 categories across patient narratives, clinical notes, intake forms, and the data flowing through modern AI pipelines is non-trivial. This post lays out how each of the 18 identifiers maps to a specific capability in the Philterd toolkit, and then sketches a reference architecture for three common healthcare data flows: patient data lakes, clinical research pipelines, and RAG-based medical AI systems.

The 18 Safe Harbor identifiers, mapped

HIPAA Safe Harbor requires the removal of these categories from any patient-related dataset before it can be considered de-identified. Below is the mapping to Philter capabilities. Most are covered by the built-in policy engine; a few require domain-specific configuration.

#Safe Harbor identifierPhilterd handling
1NamesNER via the Healthcare lens on PhEye, plus name-dictionary support for non-Western names
2Geographic subdivisions smaller than state (street, city, county, ZIP if pop. < 20,000)ZIP code filter with population validation, plus city/county dictionaries
3All elements of dates (except year) tied to an individualDate filter with year-only redaction or random date-shifting, configurable per policy
4Phone numbersBuilt-in phone-number detector (US and international formats)
5Fax numbersSame detector as phone, configured for fax context
6Email addressesBuilt-in email detector
7Social Security NumbersBuilt-in SSN/TIN detector with format validation
8Medical record numbers (MRN)Custom identifier filter — configure your facility's MRN format as a regex
9Health plan beneficiary numbersCustom identifier filter — payer-specific format
10Account numbersCustom identifier filter
11Certificate / license numbersDriver's license filter plus custom identifier patterns
12Vehicle identifiers and serial numbers (incl. license plates)Built-in VIN detector plus custom plate-format patterns
13Device identifiers and serial numbersCustom identifier filter (device serial-number formats vary by manufacturer)
14Web URLsBuilt-in URL detector
15IP addressesBuilt-in IPv4 and IPv6 detectors
16Biometric identifiers (finger and voice prints)Out of scope for text redaction — handled at ingestion via separate biometric storage isolation
17Full-face photographic imagesOut of scope for text redaction — handled in the imaging pipeline before text extraction
18Any other unique identifying number, characteristic, or codeCustom dictionary and identifier filters — the open-ended category that domain expertise fills in

16 of the 18 categories are addressable by text-based redaction; the two image/biometric categories require pipeline-level isolation upstream of any text extraction. The Philterd toolkit covers the textual scope of Safe Harbor with built-in detectors plus configurable custom identifier and dictionary patterns — no model retraining required to fit your facility's MRN format or your payer mix.

Reference architecture: the patient data lake

Hospitals and large health systems typically have a multi-tenant data lake collecting clinical notes, intake forms, scanned PDFs, lab reports, and operational data. The lake serves analytics teams, quality teams, and increasingly AI/ML teams. None of those downstream consumers should be reading raw PHI.

     EHR / ADT feeds            Scanned PDFs / docs
            │                            │
            ▼                            ▼
     ┌────────────────┐         ┌────────────────────┐
     │  raw-clinical  │         │  raw-documents     │  (raw zone; locked
     │   (HL7 / FHIR) │         │  (PDF, DOCX, TXT)  │   to compliance only)
     └───────┬────────┘         └─────────┬──────────┘
             │                            │
             ▼                            ▼
        ┌──────────────────────────────────────┐
        │  Philter (Safe Harbor policy)        │ ◀── policies/hipaa-sh.json
        │  + Phinder pre-scan for discovery    │
        └────────────────┬─────────────────────┘
                         │
                         ▼
              ┌──────────────────────┐
              │  deidentified-zone   │  (research / analytics access)
              └──────────────────────┘
                         │
                  ┌──────┴──────┐
                  ▼             ▼
              Analytics      AI / ML feature store

Two things to call out:

  • Phinder runs as a pre-scan over the raw zones on a nightly basis. It produces an inventory of which entity types appear in which files, so the privacy team has a current map of where PHI lives in the raw lake. The inventory itself contains no PHI — just counts.
  • Philter is the only consumer of the raw zone that writes to the de-identified zone. ACLs prevent any other read path. Downstream consumers (analytics, ML) only touch the de-identified zone.

Reference architecture: clinical research pipelines

Research workflows have a unique constraint: the de-identified data still has to be useful for science. Stripping every potentially-sensitive token destroys the dataset; keeping too much keeps you out of compliance. This is where Philter's per-entity strategies matter most:

  • Names are replaced with consistent synthetic names (Patient_A47 stays Patient_A47 across every mention in the document set, so longitudinal analysis still works).
  • Dates are shifted by a per-patient random offset (preserving intervals between events for the same patient, so "discharge happened 4 days after admission" survives even though both dates change).
  • ZIPs are truncated to three digits where the leading 3-digit prefix represents a population > 20,000.
  • MRNs are mapped to synthetic IDs via a one-way hash, so the researcher can join across tables without ever seeing the real MRN.

The deliverable is a research-ready dataset that satisfies an IRB and an OCR auditor simultaneously. Philter Scope produces the precision/recall report that goes into the IRB packet, with measurements specific to the dataset rather than vendor-quoted averages — we covered why generic benchmarks aren't useful here.

Reference architecture: medical RAG systems

The newest pattern is retrieval-augmented generation over medical documents: a clinician asks a natural-language question, an LLM retrieves relevant chart notes, and answers. The privacy challenge is acute — the retrieval step pulls real chart text, and unless that text is sanitized, the LLM provider sees raw PHI.

The recommended pattern: redact at ingestion (when documents enter the vector store) and re-redact at inference (when the LLM call goes out), with both stages using the same Safe Harbor policy:

  Chart notes ────▶ Philter (Safe Harbor) ────▶ Embed ────▶ Vector store
                                                                │
                                                                ▼
  Clinician query ────▶ Retrieval ────▶ Top-K chunks (already redacted)
                                              │
                                              ▼
                                   Philter AI Proxy ────▶ LLM provider
                                   (defense-in-depth pass)

The Philter AI Proxy sits between the application and the LLM provider (OpenAI, Anthropic, Bedrock) as the last line of defense. Even if the vector store ingestion missed something, the proxy redacts before the prompt leaves your network. The application code doesn't change — you point your OpenAI client at the proxy URL and the rest is automatic.

Operating the pipeline

Three habits separate a Safe-Harbor pipeline that passes an audit from one that fails:

  1. Treat the policy as code. Version-control the HIPAA Safe Harbor policy alongside your application code. Every change goes through PR review by a clinical-informatics lead, and CI runs Philter Scope against a gold-standard set to prove the change doesn't drop recall — we have a full piece on what that CI pipeline looks like.
  2. Monitor the live stream. Phield tracks the volume and entity-type distribution of detections in production. A sudden drop in MRN detections doesn't mean the pipeline got better — it usually means an upstream system changed format and your custom identifier pattern stopped matching.
  3. Keep a discovery cadence. Run Phinder against new storage locations monthly. New vendor feeds, new S3 buckets, new shared drives appear faster than you think. The discovery report is the artifact OCR will ask for if they ever come knocking.

The bottom line

HIPAA Safe Harbor isn't a one-time data transformation — it's a continuous process across every pipeline that touches patient text. The 18 identifiers map cleanly to Philterd capabilities, but the value comes from wiring them into the architecture as automated, monitored stages rather than ad-hoc scripts run by an analyst.

Healthcare and life-sciences teams are our largest consulting practice; we've done Safe Harbor deployments across health systems, clinical research organizations, and pharma. If you'd like help mapping your specific data flows to a Safe Harbor blueprint — or want a precision/recall evaluation on your real chart notes before committing to an approach — get in touch.