Anonymize patient portal export packages before third-party disclosure – CCPA/HIPAA-compliant de-identification per 45 CFR §164.524
Under 45 CFR §164.524, patients have the right to access and receive copies of their PHI in a designated record set, including electronic exports from patient portals. When a portal export must be disclosed to third parties — such as in litigation discovery or an insurance claim — anonym.legal de-identifies third-party PHI inadvertently included in the export while preserving the patient's own health information for authorized disclosure.
When this applies
Apply this workflow when a patient-portal export bundle is being produced for a third-party recipient — in litigation, insurance review, or employer accommodation proceedings — and the bundle contains PHI of third parties (other patients mentioned in shared encounter records, named clinicians) that must be removed before disclosure.
How anonym.legal handles it
- Upload the patient portal export package (CCDA, FHIR R4, or PDF compilation) to anonym.legal.
- Provide the requesting patient's identity as the reference; the engine preserves the patient's own PHI while detecting third-party PHI embedded in shared records.
- Third-party patient names, MRNs, and contact details mentioned in shared ward records, group session notes, or family health history sections are de-identified.
- Named clinicians are de-identified to role labels in contexts where their identity is not relevant to the authorized disclosure purpose.
- The patient's own clinical content — diagnoses, medications, lab results, appointments — is preserved in full.
- A processing report lists all third-party PHI actions taken, supporting documentation of the minimum-necessary determination.
What you provide
- Patient portal export package (CCDA XML, FHIR R4 JSON, or PDF)
- Patient identity reference (to distinguish the requester from third parties)
- Description of the intended disclosure purpose and recipient
Limitations & cautions
- The right of access under §164.524 entitles the patient to their own PHI; the covered entity must still make a minimum-necessary determination about third-party PHI before disclosing the export for non-treatment purposes.
- The engine de-identifies third-party PHI on a best-effort basis; unusual formatting in patient portal exports from proprietary EHR systems may require manual review.
- Clinical records in the export that were created by the patient's treating providers are the patient's own PHI regardless of whether they contain clinician identifiers — confirm the scope of the export with legal counsel before third-party disclosure.
FAQ
Does HIPAA require covered entities to honor patients' requests to send their records directly to third parties?
Yes. Under §164.524(c)(3), covered entities must transmit a copy of PHI directly to a third party designated by the patient, as long as the request is clear, conspicuous, and specific. The covered entity may de-identify third-party PHI before transmission but must provide the patient's own complete designated record set.
What is the timeline for responding to a patient access request?
Under §164.524(b)(2), covered entities must act on a request for access within 30 days of receipt (extendable once by 30 days with written notice). De-identification processing of third-party PHI must be completed within this window.
Can a patient authorize release of their de-identified portal export to a research database?
A patient may authorize any disclosure of their own PHI under §164.508. If the patient wants to contribute their data to a research database in de-identified form, the covered entity can process the export through this workflow before transmitting to the research database — though once de-identified the data is not PHI and formal authorization is no longer required.