What gets removed
Before any data is shared, every direct identifier is stripped at the source. That includes:
- Names, initials, and aliases of patients, subjects, or staff
- Medical record numbers, sample IDs, internal case numbers
- Dates of birth, admission dates, and any date that could be used to triangulate identity
- Addresses, postal codes finer than the country level, and any geographic identifiers that could narrow down to small populations
- Phone numbers, emails, and other direct contact details
Indirect identifiers — combinations of demographic facts that could re-identify someone in a small dataset — are flagged and either generalized (age 60 instead of date of birth) or removed entirely.
Where the stripping happens
Anonymization happens inside your systems, before any data reaches us. We work with your existing pipelines and tooling rather than asking you to ship raw data to a third party for processing. If your institution already has a de-identification step in place, we slot in after it.
Nothing identifiable ever leaves your network. We never see the raw, identifiable form of any record.
What we actually receive
What ends up in our hands is structured records that look like clinical or experimental cases without any link back to a real person. For example, a patient record might become "65-year-old, elevated creatinine, CKD stage 3, prior hypertension." A lab experiment might become a list of conditions, instrument settings, and measured outcomes with no operator name or sample ID.
Compliance frameworks
The process we use is designed to meet HIPAA Safe Harbor standards in the US, GDPR's anonymization criteria in the EU, and the equivalent local frameworks where we operate. If your institution has additional requirements, we work them into the pipeline rather than around them.
Have specific privacy requirements you'd like us to meet? Tell us about them.