Glossary
HIPAA Safe Harbor
Also known as: Safe Harbor de-identification, HIPAA Safe Harbor method
Definition
HIPAA Safe Harbor is one of two methods the HIPAA Privacy Rule provides for de-identifying protected health information. Under Safe Harbor, data is considered de-identified once 18 specific categories of identifiers (names, geographic units smaller than a state, dates, contact details, and others) are removed and the covered entity has no actual knowledge that the remaining data could identify an individual.
Why it matters
For AI workloads handling PHI, Safe Harbor is the cleanest path to compliant de-identification because it is rule-based and auditable rather than statistical. The Expert Determination method (the alternative) requires a documented expert opinion that re-identification risk is very small, which is harder to operationalize and harder to defend in audit.
The 18 categories cover more than the obvious. Beyond names and SSNs they include dates more granular than year, ages over 89, ZIP codes (smaller than the first three digits), email and IP addresses, biometric identifiers, and any other unique identifying number, characteristic, or code. AI pipelines that pull demographic context from notes will trip on several of these without explicit controls.
In practice
Prism Guardrails ship with built-in detectors for all 18 Safe Harbor identifier categories. Prism X covers the same surface at the browser, blocking employees from pasting Safe Harbor-covered identifiers into consumer AI tools. Both produce per-event audit logs designed for HIPAA breach assessment under §164.312(b).
Related
More glossary terms
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.