Complete List of the 18 HIPAA Identifiers for De-Identification (Safe Harbor)

Overview of HIPAA Safe Harbor Method

The HIPAA Safe Harbor method is one of the De-identification Standards under the Privacy Rule. It allows you to share data stripped of specific identifiers so it no longer constitutes Protected Health Information (PHI). To qualify, you must remove all 18 specified identifiers and have no actual knowledge that the remaining information could identify an individual.

Safe Harbor supports Health Information Privacy by providing clear Identifier Removal Procedures that organizations can operationalize. Compared with expert determination, it is rules-based, auditable, and easier to document for Privacy Rule Compliance, provided you consistently apply the requirements across all data elements, notes, images, and embedded metadata.

Personal Identifiers Removal

Remove any direct personal identifiers that can tie a record to a specific individual or their close associates. This includes the person’s name and the names of relatives, employers, or household members in any format (e.g., full name, maiden name, or common aliases). Do not overlook signatures or name fragments embedded in free text, file names, or scanned documents.

When redacting narrative notes, review salutations, author bylines, and acknowledgments. Replace removed tokens with neutral placeholders when necessary for analysis, and maintain a separate, access-controlled mapping only if you need internal re-identification for permitted operations.

Geographic and Date Information

Geography: Remove all geographic subdivisions smaller than a state—street address, city, county, precinct, ZIP code, and equivalent geocodes. You may retain only the initial three digits of a ZIP code when the combined area has more than 20,000 people; otherwise substitute “000.” This prevents location-based singling out, a common path to Re-identification Risk.

Dates: Remove all elements of dates (except year) for dates directly related to an individual—such as birth, admission, discharge, and death. Ages over 89 and any related year must also be removed; instead, aggregate into a single category of “age 90 or older.” Apply these rules uniformly to timestamps in filenames, EXIF fields, audit logs, and message headers.

Contact Information Redaction

Strip all channels that could enable direct contact. This includes telephone numbers, fax numbers, and electronic mail addresses. Check body text, signatures, headers, voicemail transcripts, and image overlays for these values, and ensure automated detectors are tuned for varied formats (domestic and international) to uphold consistent Identifier Removal Procedures.

Identification Numbers Exclusion

Exclude numeric and alphanumeric identifiers that can uniquely link back to a person or their records. Remove Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and certificate/license numbers. Eliminate vehicle identifiers and serial numbers (including license plates) and device identifiers and serial numbers, which often appear in clinical equipment logs.

Network and web identifiers must also be removed: web URLs and Internet Protocol (IP) address numbers can directly or indirectly identify individuals or their households. Ensure these values are not left behind in logs, hyperlinks, referrers, or embedded telemetry to reduce Re-identification Risk.

Biometric and Image Data

Delete biometric identifiers, including finger and voice prints, because they are inherently unique and persistent. These signals cannot be safely “blurred” or “hashed” for Safe Harbor; they must be removed.

Remove full-face photographs and any comparable images (for example, images that show enough facial or distinctive features to permit recognition). Review image metadata and thumbnails as they can also expose identifiers even when the visible image is cropped.

Handling Unique Identifiers

Safe Harbor requires removal of “any other unique identifying number, characteristic, or code.” This catch-all covers rare identifiers that may appear in specialized datasets (e.g., custom patient tokens in research systems or uncommon membership IDs). When in doubt, treat novel fields conservatively to maintain Privacy Rule Compliance.

Re-identification codes are permitted internally if they are not derived from the removed identifiers and recipients cannot use them to identify individuals. Store any linkage keys separately with strict access control, log their use, and document your De-identification Standards so teams can repeat the process reliably.

Conclusion

Applying HIPAA Safe Harbor means systematically removing all 18 identifiers, validating that no residual data reasonably identifies a person, and documenting clear Identifier Removal Procedures. Done well, this approach enables data utility while protecting individuals and upholding Health Information Privacy.

FAQs

What are the 18 HIPAA identifiers for de-identification?

The Safe Harbor list includes the following identifiers of the individual or of relatives, employers, or household members:

1. Names.
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes (with the three-digit ZIP exception only when the area has >20,000 people; otherwise “000”).
3. All elements of dates (except year) for dates directly related to an individual (e.g., birth, admission, discharge, death) and all ages over 89 (aggregate to “age 90 or older”).
4. Telephone numbers.
5. Fax numbers.
6. Electronic mail addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web Universal Resource Locators (URLs).
15. Internet Protocol (IP) address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographs and any comparable images.
18. Any other unique identifying number, characteristic, or code (except a re-identification code maintained by the covered entity).

How does the Safe Harbor method protect patient privacy?

It protects privacy by mandating removal of specific high-risk identifiers and requiring that you have no actual knowledge that the remaining data could identify a person. This rules-based approach reduces linkage opportunities, supports consistent Identifier Removal Procedures, and provides an auditable path to Privacy Rule Compliance while enabling responsible data use.

Can de-identified data be re-identified?

While Safe Harbor substantially lowers risk, re-identification can still occur if residual attributes are combined with external data. Mitigate this Re-identification Risk by enforcing strict suppression of all 18 identifiers, reviewing free text, images, and metadata, minimizing granularity (e.g., dates, geography), and controlling any internal re-identification keys.

What types of information must be removed under HIPAA Safe Harbor?

You must remove all 18 identifiers across personal, geographic, temporal, contact, numeric, biometric, image, network, and catch-all unique identifiers. This includes names, small-area locations, detailed dates and ages over 89, phone/fax/email, SSNs and medical record numbers, plan and account numbers, license and device/vehicle identifiers, URLs/IPs, biometrics, full-face images, and any other unique identifying number, characteristic, or code.