Decoding HIPAA: Understanding the 18 Identifiers

If you handle Protected Health Information (PHI), understanding the 18 HIPAA identifiers is essential to safeguard Health Data Privacy and meet HIPAA Compliance Standards. This guide explains how the HIPAA Privacy Rule treats Identifiable Health Information and what you must remove or generalize for PHI de-identification.

Overview of HIPAA Privacy Rule

The HIPAA Privacy Rule protects PHI held by covered entities and business associates. PHI is any health or payment data that can identify an individual, directly or indirectly. To share data outside treatment, payment, and operations, you typically must de-identify it so no person is reasonably identifiable.

Two recognized de-identification pathways

• Safe Harbor: remove the 18 specific identifiers listed by HIPAA and ensure you have no actual knowledge that remaining data can identify someone.
• Expert Determination: a qualified expert documents that the risk of re-identification is very small, using accepted statistical methods.

When you rely on Safe Harbor, precision about each identifier matters. The sections below decode how each category works in practice so you can handle Sensitive Health Identifiers correctly.

List of Identifiable Information

Under HIPAA’s Safe Harbor method, these 18 identifiers must be removed to treat a dataset as de-identified:

1. Names.
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent geocodes), with a limited ZIP code exception noted below.
3. All elements of dates (except year) directly related to an individual, and all ages over 89 (aggregate as “90 or older”).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code (with limited re-identification coding allowed as described later).

Geographic Subdivisions and Dates

Geographic subdivisions

Anything more precise than a state is an identifier: street address, city, county, precinct, and standard geocodes must be removed. You may keep the initial three digits of a ZIP code only if the combined three-digit area has more than 20,000 people; otherwise, replace those digits with 000. When in doubt, generalize to the state level.

Dates and age

Remove the month, day, and exact day-of-week for any dates tied to a person—birth, admission, discharge, death, appointment, and procedure dates. Keep only the year. For individuals older than 89, treat age and date-related details as identifiers and group them into a single category: “age 90 or older.”

Contact and Identification Numbers

Direct contact details

Telephone numbers, fax numbers, and email addresses uniquely identify people and must be removed. Even masked or partial values can enable linkage, so exclude them under Safe Harbor.

Governmental and institutional numbers

Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and certificate or license numbers are all identifiers. Do not hash or encrypt and keep the transformed value in a Safe Harbor dataset if the code is derived from the original value; instead, remove it entirely.

Internet-based identifiers

Web URLs and IP addresses can directly or indirectly pinpoint a person, device, or household. Remove them, including embedded query strings that might expose usernames, booking IDs, or session tokens tied to Identifiable Health Information.

Biometric and Visual Identifiers

Biometric identifiers

HIPAA explicitly lists finger and voice prints, but you should treat other biometric modalities—such as retinal or iris scans, hand or face geometry—as sensitive in PHI de-identification. These measurements are inherently unique and persistent.

Photographic and comparable images

Full-face photographs and comparable images are identifiers. To use images, remove or obscure full-face and distinctive features that can reveal identity. Cropping or blurring must prevent recognition; also avoid backgrounds or metadata that could re-identify a person.

Unique Identifying Codes and Characteristics

Vehicles and devices

Vehicle identifiers and serial numbers—including license plates and VINs—must be removed. Device identifiers and serial numbers, from implantable devices to consumer wearables, are also prohibited in Safe Harbor datasets.

Other unique characteristics and codes

Catch-all identifiers include any unique number, characteristic, or code that could single out a person—distinctive tattoos, rare job titles in a small facility, or locally unique case numbers. If it can reasonably identify someone, treat it as PHI.

Permissible re-identification codes

HIPAA allows you to assign a code to re-link records internally if the code is not derived from individual information, is kept confidential, and the mapping is stored separately. Never disclose the algorithm or key publicly.

Conclusion

For Safe Harbor PHI de-identification, remove the 18 identifiers, generalize geography to state (with the ZIP code exception), restrict dates to year, and avoid any unique codes or images that can reveal identity. When Safe Harbor is impractical, use the Expert Determination pathway to meet HIPAA Compliance Standards while preserving data utility.

FAQs.

What are the 18 HIPAA identifiers?

They are: names; sub-state geography (with a narrow ZIP exception); all date elements except year and any age over 89; phone; fax; email; SSN; medical record number; health plan number; account number; certificate/license number; vehicle identifiers (including plates); device identifiers; URLs; IP addresses; biometric identifiers (e.g., finger and voice prints); full-face photos or comparable images; and any other unique identifying number, characteristic, or code.

How is PHI protected under HIPAA?

The HIPAA Privacy Rule limits uses and disclosures, enforces the minimum necessary standard, and requires administrative, technical, and physical safeguards. For sharing or analysis, you must either remove the 18 identifiers (Safe Harbor) or obtain Expert Determination that the re-identification risk is very small.

Which identifiers require de-identification?

All 18 identifiers listed above must be removed for Safe Harbor de-identification. Also review free-text notes, images, and metadata, which often contain embedded identifiers or unique characteristics that could re-identify an individual.

What constitutes biometric identifiers under HIPAA?

Finger and voice prints are specifically named, and other biometric traits—such as retinal or iris scans, hand or face geometry—are typically treated as biometric identifiers in PHI contexts. Full-face photographs are handled as a separate identifier category and must also be removed.