HIPAA Safe Harbor Compliance Policy
Grace Steps Portal Data Protection & De-Identification Agreement
1. Policy Overview
To guarantee complete safety and confidentiality for individuals participating in Grace Steps, this portal operates under the **HIPAA Safe Harbor de-identification rules** (45 CFR § 164.514(b)(2)). Outbound portals (Event Hosts, Volunteer Networks, Community Leaders, and Public registries) **must never** show individual Protected Health Information (PHI).
2. The 18 Safe Harbor Identifiers
Grace Steps strips or fully generalizes all 18 identifiers listed under Safe Harbor rules for public views, including:
- ✖ Names (First, Middle, Last)
- ✖ Geographic data smaller than State
- ✖ Specific dates (Birth, Outing dates)
- ✖ Telephone & Fax numbers
- ✖ Email addresses
- ✖ Social Security Numbers
- ✖ Medical Record Numbers
- ✖ Health Plan Beneficiary numbers
- ✖ Account numbers
- ✖ Certificate & license numbers
- ✖ Vehicle identifiers (VINs, plates)
- ✖ Device IDs & serial numbers
- ✖ URLs & Web IP addresses
- ✖ Biometric identifiers (voice, prints)
- ✖ Full-face photographs
- ✖ Any unique identifying number/code
3. Grace Steps Compliance Actions
- Dynamic Sanitizer: Automated scrubber strips names, phone numbers, and Medicaid IDs from freeform caregiver reports (AARs) before sharing.
- Outbound Anonymization: Event Hosts and public lists only view counts and aggregate demand stats. Individual names are replaced by generic tags (e.g. Participant A).
- Access Restriction: Only authorized internal staff bound by BAA agreements can view PHI inside secure role workspaces.
Individual Agreement and Policy Consent
All service providers, caregivers, and staff are required to review the policy and sign this electronic consent form below to confirm compliance and agreement.