De-identification Specification — Stratum Platform
Date: 2026-04-08 Status: Draft — Requires attorney review before first use Method: HIPAA Safe Harbor (45 CFR §164.514(b)(2)) Version: 1.0Purpose
This document specifies how Stratum de-identifies precedent objects and associated appeal data before any external disclosure. "External disclosure" includes:- Case study or research publication
- Tier 3 marketplace sharing (cross-tenant precedent access)
- Partner data sharing under research BAAs
- Any export to a third party not covered by a signed BAA Data accessed internally under a valid BAA by authorized users does NOT require de-identification prior to access. The PHI validation middleware (
- Payer name (Anthem, Cigna, etc.) — not a patient identifier
- Denial type (Medical Necessity, Level of Care, etc.)
- Level of care (PHP, IOP, SUD Residential, etc.)
- Criteria source (MCG, InterQual, ASAM, LOCUS)
- Outcome (Won, Lost, Partial)
- Win reason
- Evidence score
- Service year (not full date)
- State (not sub-state geography)
- 42 CFR Part 2 flag (
data_origin_type,sharing_restrictions) - Narrative templates and policy references (already abstracted, no identifiers)
- Export via de-id transform
- Residual scan passes (zero hits)
- Attorney review of exported dataset before submission
- Publication outlet must be notified data is de-identified (not PHI)
- All precedents in marketplace clusters pass de-id transform at index time
- No raw PHI is ever included in marketplace payloads
- Cross-tenant access limited to de-identified records
- BAA governs relationship regardless — de-id is additive protection
- BAA executed and stored before any data transfer
- Data transfer via de-id export only
- Partner must maintain their own HIPAA compliance program
- CMS Medicare/Medicaid claims data (payer, LOC, service year, state — publicly queryable)
- SAMHSA TEDS-A/TEDS-D (Treatment Episode Data Set — payer type, LOC, state, diagnosis category)
- State all-payer claims databases (WA-APCD, NY SPARCS, etc.) — granular enough to narrow to facility
- SAMHSA Behavioral Health Barometer (state-level utilization, LOC breakdowns)
- NPI registry (provider name → NPI lookup — reverses hashing if salt is known) Attack scenario: Exported record shows
- Quasi-identifier generalization — Before export, evaluate whether any combination of retained fields (payer + LOC + state + year) yields a population of fewer than 11 distinct providers in the external reference datasets. If yes, suppress or further generalize (e.g., generalize state to region, or year to 2-year band).
- Disclosure-limited exports — For published research, cap the retained field granularity. Example: publish payer category (commercial, Medicaid, MA) instead of named payer; publish LOC category (residential, outpatient) instead of specific LOC code.
- Recipient controls — For partner transfers (BAA), include a data use agreement (DUA) prohibiting re-identification attempts and prohibiting linkage with external datasets.
- Pre-publication linkage check — Run a manual check against SAMHSA TEDS and CMS public data before any research publication. Document the check in the export audit log. Attorney review item: Confirm whether a linkage analysis is required under the specific disclosure context, or whether Safe Harbor + suppression threshold is sufficient.
- Salt never logged. The export process must explicitly prohibit writing the salt to any log file, audit trail, database field, or environment variable. Salt exists only in memory during the export run.
- Salt destruction confirmation. The export process generates an attestation record:
- Export isolation. Each export run generates a fresh random salt (Node.js
crypto.randomBytes(32)).
Salts are never reused across exports. This prevents cross-export NPI correlation even if one
export's salt were somehow recovered.
- Access controls on export function. The de-id export route must be restricted to admin role only. Audit log must record user_id, timestamp, and export_id for every invocation.
- NPI omission option. For highest-sensitivity exports (public research publication), consider omitting hashed NPI entirely rather than hashing it. Payer + LOC + outcome is sufficient for most research questions without provider pseudonymization.
- Narrative abstraction tier. Narrative fields (
narrative_template,policy_reference, - Minimum narrative generalization. For any published dataset, narrative fields should be reduced to structured attributes (criteria cited, evidence type, framing approach) rather than free text. Stratum's
- Rare-scenario suppression. Any precedent where the combination (payer + LOC + denial type + criteria source) appears only once in the export dataset should have its narrative field suppressed entirely, regardless of the 3-record threshold applied to quasi-identifiers.
- Human review gate for publication exports. Before any research publication, a person (Patrick or designated reviewer) must read each exported narrative field and confirm it does not contain a recognizable clinical fingerprint. This review is documented in the export audit log as
- Payer disclosure restriction. Consider restricting named payer in exports where narrative is included. Publishing "Cigna denied PHP citing MCG 7.D.2 and the following argument pattern succeeded" is more re-identifiable than publishing the argument pattern without payer name. The DUA with research partners can restrict further payer-level attribution.
- Confirm Safe Harbor method is sufficient for the specific disclosure context (publication vs. marketplace vs. partner transfer)
- Review the 18-identifier treatment table — confirm no gaps for behavioral health context
- Confirm suppression threshold (currently set at n < 3) is defensible
- Review the export metadata format (
_deidentification_methodfield content) - Confirm 42 CFR Part 2 SUD records require additional consent even after de-identification (likely yes — Part 2 has stricter standards than HIPAA Safe Harbor)
- Confirm whether a formal linkage analysis against external public datasets (SAMHSA TEDS, CMS) is required for research publication, or whether Safe Harbor + suppression threshold + DUA prohibition is sufficient
- Review the salt custody attestation procedure — confirm it satisfies audit trail requirements without creating a reversibility risk
- Confirm whether the DUA (data use agreement) prohibiting re-identification attempts is required for BAA partners, or whether the BAA itself is sufficient Estimated legal review time: 2–4 hours. Cost: $500–$1,500.
/Users/patricklord/REPOS/Stratum Collective/stratum-platform/docs/HIPAA_AUDIT_READINESS.md/Users/patricklord/REPOS/Stratum Collective/stratum-platform/src/middleware/phi-validation.ts/Users/patricklord/REPOS/Stratum Collective/stratum-platform/src/db/schema.sql
phi-validation.ts) handles input-time blocking;
this spec governs output-time transformation.
Method Selection: Safe Harbor vs. Expert Determination
| Method | Standard | Cost | Flexibility |
| Safe Harbor (§164.514(b)(2)) | Remove all 18 enumerated identifiers | Low — implementable in code | Lower — mechanical |
| Expert Determination (§164.514(b)(1)) | Statistical re-identification risk < "very small" | High — requires qualified statistician | Higher — retains more granularity |
| # | Identifier | Present in Precedent Objects? | Treatment |
| 1 | Names (patient, relative, employer, provider) | Possibly in narrative/appeal text | Strip — remove or replace with [PATIENT], [PROVIDER], [EMPLOYER] tokens |
| 2 | Geographic subdivisions smaller than state (zip codes, street addresses) | Possible in provider address fields | Generalize — retain state only; strip zip, street, city |
| 3 | Dates more specific than year (birthdate, admission, discharge, service, death) | Likely in service_dates or narrative | Generalize — retain year only (e.g., "2024" not "03/15/2024") |
| 4 | Phone numbers | Blocked at input | Confirm absent via scan; strip if found |
| 5 | Fax numbers | Blocked at input | Confirm absent via scan; strip if found |
| 6 | Email addresses | Blocked at input | Confirm absent via scan; strip if found |
| 7 | Social Security Numbers | Blocked at input | Confirm absent via scan; strip if found |
| 8 | Medical record numbers | Blocked at input | Confirm absent via scan; strip if found |
| 9 | Health plan beneficiary numbers | Possible in policy_reference | Strip — remove member/subscriber/policy IDs |
| 10 | Account numbers | Blocked at input | Confirm absent via scan; strip if found |
| 11 | Certificate/license numbers | Unlikely | Confirm absent via scan |
| 12 | Vehicle identifiers/license plates | Not applicable | N/A |
| 13 | Device identifiers/serial numbers | Not applicable | N/A |
| 14 | URLs containing patient info | Blocked at input | Confirm absent via scan; strip if found |
| 15 | IP addresses | Not stored in precedent objects | Confirm absent |
| 16 | Biometric identifiers | Not applicable | N/A |
| 17 | Full-face photos/comparable images | Not applicable | N/A |
| 18 | Any other unique identifying number or code | Provider NPI (quasi-identifier) | Hash — replace with sha256(NPI + salt)[:12]; consistent within export but not reversible |
| Pattern | Middleware Covers | De-id Transform Also Needed | |
| SSN | Yes | Yes — as residual scan | |
| Phone | Yes | Yes — as residual scan | |
| Yes | Yes — as residual scan | ||
| MRN | Yes | Yes — as residual scan | |
| Full dates (MM/DD/YYYY) | Yes | Yes — generalize to year | |
| Full dates (Month DD, YYYY) | Yes | Yes — generalize to year | |
| Account numbers | Yes | Yes — as residual scan | |
| Health plan IDs | Yes | Yes — as residual scan | |
| IP addresses | Yes | Yes — as residual scan | |
| URL with patient info | Yes | Yes — as residual scan | |
| Pattern | Description | Safe Harbor # | |
| Names | Patient/provider names in free text | 1 | |
| Fax numbers | Similar format to phone | 5 | |
| Geographic (zip codes) | 5-digit or 9-digit zip | 2 | |
| Geographic (street addresses) | Free-text address fields | 2 | |
| Certificate/license numbers | State license formats | 11 | |
| NPI numbers | 10-digit provider ID | 18 (quasi) | |
| Risk | Likelihood | Mitigation | |
| Small-practice provider re-identification via payer + LOC + year | Low-medium | NPI hashing; avoid publishing single-provider datasets | |
| Rare diagnosis + rare payer combination | Low | Suppress records where combination appears fewer than 3 times in dataset | |
| Narrative text containing implicit identifiers (facility names, city references) | Medium | Manual review of narrative fields before publication; add [FACILITY] tokenization | |
| Tier | Definition | Treatment | |
| Generic | Applicable to any case of this type; no case-specific detail | Include as-is | |
| Semi-specific | References specific criteria or framing but no patient detail | Include with review | |
| Case-specific | Describes a unique clinical scenario, rare combination, or specific event | Suppress or abstract before export | |
| Trigger | Action | ||
New identifier fields added to PrecedentObject schema | Update identifier coverage table; confirm de-id transform handles new fields | ||
| New use case (new disclosure type) | Confirm Safe Harbor is sufficient for that context; update Use Case Requirements section | ||
| HHS updates Safe Harbor identifier list | Update identifier table; re-validate transform | ||
| 42 CFR Part 2 regulatory update | Review SUD exclusion policy with counsel | ||
| Dataset scale crosses 10,000 records | Consider Expert Determination assessment — Safe Harbor sufficiency assumptions may shift | ||
| Any attorney identifies gaps during review | Update immediately before proceeding | ||
| Role | Name | Date | Status |
| Platform Engineer | — | — | Pending |
| Business Owner | Patrick | — | Pending |
| HIPAA Counsel (external) | — | — | Required before first use |
Related files: