Glossary
What is FHIR de-identification?
FHIR de-identification is the practice of removing or transforming identifying fields from FHIR resources so that the resulting data can be used for purposes that should not have access to direct patient identifiers.
In context
Common transformations include removing names, contact details, and addresses; generalising birth dates to a year or age band; and replacing identifiers with study-specific tokens. The bar for what counts as de-identified, pseudonymised, or anonymised under HIPAA Safe Harbor, the GDPR, or other frameworks depends on the data, the recipient, and the wider processing context; it is not a property of one field in isolation.
Server-side enforcement is required. Without it, a recipient can probe redacted fields indirectly: searching for an exact name and seeing whether a result comes back, sorting by a redacted field, or following a reference into a record they should not be able to see. The safer pattern is to combine field-level redaction with explicit limits on which search parameters and reference traversals roles with de-identified access can use at all.
How Fire Arrow handles it
Fire Arrow Server enforces de-identification through field-level redaction (clearing identifying fields like names and contact points, or replacing them with realistic-looking randomised values) combined with explicit blocklists on search parameters and reference traversals so blocked fields cannot be inferred indirectly. The same restrictions apply across REST, GraphQL, and SQL-on-FHIR. The mechanics are server-side; the policy decision is yours.
