MicrosoftDocs
diff --git a/‎articles/healthcare-apis/deidentification/index.yml
Lines changed: 43 additions & 0 deletions b/‎articles/healthcare-apis/deidentification/index.yml
Lines changed: 43 additions & 0 deletions
diff --git a/‎articles/healthcare-apis/deidentification/manage-access-rbac.md
Lines changed: 120 additions & 0 deletions b/‎articles/healthcare-apis/deidentification/manage-access-rbac.md
Lines changed: 120 additions & 0 deletions
diff --git a/‎articles/healthcare-apis/deidentification/managed-identities.md
Lines changed: 103 additions & 0 deletions b/‎articles/healthcare-apis/deidentification/managed-identities.md
Lines changed: 103 additions & 0 deletions
diff --git a/‎articles/healthcare-apis/deidentification/overview.md
Lines changed: 71 additions & 0 deletions b/‎articles/healthcare-apis/deidentification/overview.md
Lines changed: 71 additions & 0 deletions
@@ -0,0 +1,43 @@
+### YamlMime:Landing
+
+title: De-identification service documentation
+summary: Documentation for the Azure Health Data Services de-identification service.
+
+metadata:
+  title: Azure Health Data Services de-identification service
+  description: Documentation for the Azure Health Data Services de-identification service.
+  ms.service: azure-health-data-services
+  ms.subservice: deidentification-service
+  ms.topic: landing-page
+
+  author: msjasteppe
+  ms.author: jasteppe
+  ms.date: 08/08/2024
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+  - title: About the de-identification service
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: What is the de-identification service?
+            url: overview.md
+
+  - title: Get started
+    linkLists:
+      - linkListType: quickstart
+        links:
+          - text: Deploy the de-identification service
+            url: quickstart.md
+          - text: Azure Health De-identification client library for .NET
+            url: quickstart-sdk-net.md
+
+  - title: How-to
+    linkLists:
+      - linkListType: how-to-guide
+        links:
+          - text: Manage access with Azure role-based access control (RBAC)
+            url: manage-access-rbac.md
+          - text: Use managed identities
+            url: managed-identities.md
@@ -0,0 +1,120 @@
+---
+title: Manage access to the de-identification service (preview) with Azure role-based access control (RBAC) in Azure Health Data Services
+description: Learn how to manage access to the de-identification service (preview) using Azure role-based access control.
+author: jovinson-ms
+ms.author: jovinson
+ms.service: azure-health-data-services
+ms.subservice: deidentification-service
+ms.topic: how-to
+ms.date: 07/16/2024
+---
+
+# Use Azure role-based access control with the de-identification service (preview)
+
+Microsoft Entra ID authorizes access rights to secured resources through Azure role-based access control (RBAC). The de-identification service (preview) defines a set of
+built-in roles that encompass common sets of permissions used to access de-identification functionality.
+
+Microsoft Entra ID uses the concept of a security principal, which can be a user, a group, an application service principal, or a [managed identity for Azure resources](/entra/identity/managed-identities-azure-resources/overview).
+
+When an Azure role is assigned to a Microsoft Entra ID security principal over a specific scope, Azure grants access to that scope for that security principal. For more information about scopes, see
+[Understand scope for Azure RBAC](/azure/role-based-access-control/scope-overview).
+
+## Prerequisites
+
+- A de-identification service (preview) in your Azure subscription. If you don't have a de-identification service, follow the steps in [Quickstart: Deploy the de-identification service](quickstart.md).
+
+## Available built-in roles
+
+The de-identification service (preview) has the following built-in roles available:
+
+|Role |Description |
+|-----|------------|
+|DeID Data Owner |Full access to de-identification functionality. |
+|DeID Real-time Data User |Execute requests against de-identification API endpoints. |
+|DeID Batch Owner |Create and manage de-identification batch jobs. |
+|DeID Batch Reader |Read-only access to de-identification batch jobs. |
+
+## Assign a built-in role
+
+Keep in mind the following points about Azure role assignments with the de-identification service (preview):
+
+- When you create a de-identification service, you aren't automatically assigned permissions to access data via Microsoft Entra ID. You need to explicitly assign yourself an applicable Azure role. You can assign it at the level of your subscription, resource group, or de-identification service.
+- When roles are assigned, it can take up to 10 minutes for changes to take effect.
+- When the de-identification service is locked with an [Azure Resource Manager read-only lock](/azure/azure-resource-manager/management/lock-resources), the lock prevents the assignment of Azure roles that are scoped to the de-identification service.
+- When Azure deny assignments have been applied, your access might be blocked even if you have a role assignment. For more information, see [Understand Azure deny assignments](/azure/role-based-access-control/deny-assignments).
+
+You can use different tools to assign built-in roles.
+
+# [Azure portal](#tab/azure-portal)
+
+To use the de-identification service (preview), with Microsoft Entra ID credentials, a security principal must be assigned one of the built-in roles. To learn how to assign these roles to a security
+principal, follow the steps in [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
+
+# [Azure PowerShell](#tab/azure-powershell)
+
+To assign an Azure role to a security principal with PowerShell, call the [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) command. In order to run the command, you must have a role that includes **Microsoft.Authorization/roleAssignments/write** permissions assigned to you at the corresponding scope or higher.
+
+The format of the command can differ based on the scope of the assignment, but `ObjectId` and `RoleDefinitionName` are required parameters. While the `Scope` parameter is optional, you should set it to retain the principle of least privilege. By limiting roles and scopes, you limit the resources that are at risk if the security principal is ever compromised.
+
+The scope for a de-identification service (preview) is in the form `/subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>`
+
+The example assigns the **DeID Data Owner** built-in role to a user, scoped to a specific de-identification service. Make sure to replace the placeholder values 
+in angle brackets `<>` with your own values:
+
+```azurepowershell
+New-AzRoleAssignment 
+	-SignInName <Email> `
+	-RoleDefinitionName "DeID Data Owner" `
+	-Scope "/subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>"
+```
+
+A successful response should look like:
+
+```
+
+console
+RoleAssignmentId   : /subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>/providers/Microsoft.Authorization/roleAssignments/<Role Assignment ID>
+Scope              : /subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>
+DisplayName        : Mark Patrick
+SignInName         : [email protected]
+RoleDefinitionName : DeID Data Owner
+RoleDefinitionId   : <Role Definition ID>
+ObjectId           : <Object ID>
+ObjectType         : User
+CanDelegate        : False
+
+```
+
+For more information, see [Assign Azure roles using Azure PowerShell](/azure/role-based-access-control/role-assignments-powershell).
+
+# [Azure CLI](#tab/azure-pcli)
+
+To assign an Azure role to a security principal with Azure CLI, use the [az role assignment create](/cli/azure/role/assignment) command. In order to run the command, you must have a role that includes
+**Microsoft.Authorization/roleAssignments/write** permissions assigned to you at the corresponding scope or higher.
+
+The format of the command can differ based on the type of security principal, but `role` and `scope` are required parameters.
+
+The scope for a de-identification service (preview) is in the form `/subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>`
+
+The following example assigns the **DeID Data Owner** built-in role to a user, scoped to a specific de-identification service. Make sure to replace the placeholder values 
+in angle brackets `<>` with your own values:
+
+```azurecli
+az role assignment create \
+	--assignee <Email> \
+	--role "DeID Data Owner" \
+	--scope "/subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>"
+```
+
+For more information, see [Assign Azure roles using Azure PowerShell](/azure/role-based-access-control/role-assignments-cli).
+
+# [ARM template](#tab/azure-resource-manager)
+
+To learn how to use an Azure Resource Manager template to assign an Azure role, see [Assign Azure roles using Azure Resource Manager templates](/azure/role-based-access-control/role-assignments-template).
+
+---
+
+## Related content
+
+- [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview)
+- [Best practices for Azure RBAC](/azure/role-based-access-control/best-practices)
@@ -0,0 +1,103 @@
+---
+title: Use managed identities with the de-identification service (preview) in Azure Health Data Services
+description: Learn how to use managed identities with the Azure Health Data Services de-identification service (preview) using the Azure portal and ARM template.
+author: jovinson-ms
+ms.author: jovinson
+ms.service: azure-health-data-services
+ms.subservice: deidentification-service
+ms.topic: how-to
+ms.date: 07/17/2024
+---
+
+# Use managed identities with the de-identification service (preview)
+
+Managed identities provide Azure services with a secure, automatically managed identity in Microsoft Entra ID. Using managed identities eliminates the need for developers having to manage credentials by providing an identity. There are two types of managed identities: system-assigned and user-assigned. The de-identification service supports both.
+
+Managed identities can be used to grant the de-identification service (preview) access to your storage account for batch processing. In this article, you learn how to assign a managed identity to your de-identification service.
+
+## Prerequisites
+
+- Understand the differences between **system-assigned** and **user-assigned** described in [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
+- A de-identification service (preview) in your Azure subscription. If you don't have a de-identification service, follow the steps in [Quickstart: Deploy the de-identification service](quickstart.md).
+
+## Create an instance of the de-identification service (preview) in Azure Health Data Services with a system-assigned managed identity
+
+# [Azure portal](#tab/portal)
+
+1. Access the de-identification service (preview) settings in the Azure portal under the **Security** group in the left navigation pane.
+1. Select **Identity**.
+1. Within the **System assigned** tab, switch **Status** to **On** and choose **Save**.
+
+# [ARM template](#tab/azure-resource-manager)
+
+Any resource of type ``Microsoft.HealthDataAIServices/deidServices`` can be created with a system-assigned identity by including the following block in 
+the resource definition:
+
+```json
+"identity": {
+    "type": "SystemAssigned"
+}
+```
+
+---
+
+## Assign a user-assigned managed identity to a service instance
+
+# [Azure portal](#tab/portal)
+
+1. Create a user-assigned managed identity resource according to [these instructions](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
+1. In the navigation pane of your de-identification service (preview), scroll to the **Security** group.
+1. Select **Identity**.
+1. Select the **User assigned** tab, and then choose **Add**.
+1. Search for the identity you created, select it, and then choose **Add**.
+
+# [ARM template](#tab/azure-resource-manager)
+
+Any resource of type ``Microsoft.HealthDataAIServices/deidServices`` can be created with a user-assigned identity by including the following block in
+the resource definition, replacing **resource-id** with the Azure Resource Manager (ARM) resource ID of the desired identity:
+
+```json
+"identity": {
+    "type": "UserAssigned",
+    "userAssignedIdentities": {
+        "<resource-id>": {}
+    }
+}
+```
+
+---
+
+## Supported scenarios using managed identities
+
+Managed identities assigned to the de-identification service (preview) can be used to allow access to Azure Blob Storage for batch de-identification jobs. The service acquires a token as
+the managed identity to access Blob Storage and de-identify blobs that match a specified pattern. For more information, including how to grant access to your managed identity,
+see [Quickstart: Azure Health De-identification client library for .NET](quickstart-sdk-net.md).
+
+## Clean-up steps
+
+When you remove a system-assigned identity, you delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID
+when you delete the de-identification service (preview).
+
+# [Azure portal](#tab/portal)
+
+1. In the navigation pane of your de-identification service (preview), scroll down to the **Security** group.
+1. Select **Identity**, then follow the steps based on the identity type:
+   - **System-assigned identity**: Within the **System assigned** tab, switch **Status** to **Off**, and then choose **Save**.
+   - **User-assigned identity**: Select the **User assigned** tab, select the checkbox for the identity, and select **Remove**. Select **Yes** to confirm.
+
+# [ARM template](#tab/azure-resource-manager)
+
+Any resource of type ``Microsoft.HealthDataAIServices/deidServices`` can have system-assigned identities deleted and user-assigned identities unassigned by 
+including this block in the resource definition:
+
+```json
+"identity": {
+    "type": "None"
+}
+```
+
+---
+
+## Related content
+
+- [What are managed identities for Azure resources?](/azure/active-directory/managed-identities-azure-resources/overview)
@@ -0,0 +1,71 @@
+---
+title:  Overview of the de-identification service (preview) in Azure Health Data Services
+description: Learn how the de-identification service (preview) in Azure Health Data Services anonymizes clinical data, ensuring HIPAA compliance while retaining data relevance for research and analytics.
+author: kimiamavon
+ms.service: azure-health-data-services
+ms.subservice: deidentification-service
+ms.topic: overview
+ms.date: 7/17/2024
+ms.author: kimiamavon
+---
+
+# What is the de-identification service (preview)?
+
+The de-identification service (preview) in Azure Health Data Services enables healthcare organizations to anonymize clinical data so that the resulting data retains its clinical relevance and distribution while also adhering to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The service uses state-of-the-art machine learning models to automatically extract, redact, or surrogate 28 entities, including the HIPAA 18 Protected Health Information (PHI) identifiers – from unstructured text such as clinical notes, transcripts, messages, or clinical trial studies.
+
+## Use de-identified data in research, analytics, and machine learning
+
+The de-identification service (preview) unlocks data that was previously difficult to de-identify so organizations can conduct research and derive insights from analytics. The de-identification service supports three operations: **tag**, **redact**, or **surrogate PHI**. The de-identification service offers many benefits, including:
+
+- **Surrogation**: Surrogation, or replacement, is a best practice for PHI protection. The service can replace PHI elements with plausible replacement values, resulting in data that is most representative of the source data. Surrogation strengthens privacy protections as any false-negative PHI values are hidden within a document.
+
+- **Consistent replacement**: Consistent surrogation results enable organizations to retain relationships occurring in the underlying dataset, which is critical for research, analytics, and machine learning. By submitting data in the same batch, our service allows for consistent replacement across entities and preserves the relative temporal relationships between events.
+
+- **Expanded PHI coverage**: The service expands beyond the 18 HIPAA Identifiers to provide stronger privacy protections and more fine-grained distinctions between entity types, such as distinguishing between Doctor and Patient.
+
+## De-identify clinical data securely and efficiently
+
+The de-identification service (preview) offers many benefits, including:
+
+- **PHI compliance**: The de-identification service is designed for protected health information (PHI). The service uses machine learning to identify PHI entities, including HIPAA’s 18 identifiers, using the “TAG” operation. The redaction and surrogation operations replace these identified PHI values with a tag of the entity type or a surrogate, or pseudonym. The service also meets all regional compliance requirements including HIPAA, GDPR, and the California Consumer Privacy Act (CCPA).
+
+- **Security**: The de-identification service is a stateless service. Customer data stays within the customer’s tenant.
+
+- **Role-based Access Control (RBAC)**: Azure role-based access control (RBAC) enables you to manage how your organization's data is processed, stored, and accessed. You determine who has access to de-identify datasets based on roles you define for your environment.
+
+## Synchronous or asynchronous endpoints
+
+The de-identification service (preview) offers two ways to interact with the REST API or Client library (Azure SDK).
+
+- Directly submit raw unstructured text for analysis. The API output is returned in your application.
+- Submit a job to asynchronously endpoint process files in bulk from Azure Blob Storage using tag, redact, or surrogation with consistency within a job.
+
+## Input requirements and service limits
+
+The de-identification service (preview) is designed to receive unstructured text. To de-identify data stored in the FHIR&reg; service, see [Export deidentified data](/azure/healthcare-apis/fhir/deidentified-export).
+
+The following service limits are applicable during preview:
+- Requests can't exceed 50 KB.
+- Jobs can process no more than 1,000 documents.
+- Each document processed by a job can't exceed 2 MB.
+
+## Pricing
+As with other Azure Health Data Services, you pay only for what you use. You have a monthly allotment that enables you to try the product for free.
+
+| Transformation Operation (per MB) | Up to 50 MB | Over 50 MB |
+| ---------------- | ------ | ---- |
+| Unstructured text de-identification | $0 | $0.05 |
+
+When you choose to store documents in Azure Blob Storage, you are charged based on Azure Storage pricing.
+
+## Responsible use of AI
+
+An AI system includes the technology, the people who use it, the people affected by it, and the environment where you deploy it. Read the transparency note for the de-identification service (preview) to learn about responsible AI use and deployment in your systems.
+
+## Related content
+
+[De-identification quickstart](quickstart.md)
+
+[Integration and responsible use](/legal/cognitive-services/language-service/guidance-integration-responsible-use?context=%2Fazure%2Fai-services%2Flanguage-service%2Fcontext%2Fcontext)
+
+[Data, privacy, and security](/legal/cognitive-services/language-service/data-privacy?context=%2Fazure%2Fai-services%2Flanguage-service%2Fcontext%2Fcontext)