HIPAA De‑Identification Requirements: Checklist of the 18 Identifiers to Remove

To share or analyze health data responsibly, you must remove identifiers that tie records to an individual. Under the HIPAA Privacy Rule’s De‑Identification Standards, the Safe Harbor Method requires stripping 18 specific identifiers from Protected Health Information (PHI) and ensuring you have no actual knowledge that the remaining data could identify a person. This guide gives you a practical, plain‑English checklist you can apply to your Data De‑Identification workflow.

Use the sections below to verify each category of Identifiable Health Data has been handled correctly. When in doubt, favor broader generalization and document your rationale to uphold Health Information Privacy.

Remove Personal Names

What to remove

• Names of the individual patient.
• Names of relatives, employers, and household members.
• Any part of a name that could identify someone (initials, maiden names, aliases, screen names that reveal identity).

How to handle it

• Replace names with a study ID or random code that is not derived from PHI.
• Store any re‑identification key separately with strict access controls.

Eliminate Geographic Subdivisions

What to remove

• All geographic details smaller than a state: street address, city, county, precinct, and equivalent geocodes.
• All ZIP codes, except the initial three digits when the combined area has more than 20,000 people; otherwise set the first three digits to 000.
• Geolocation data such as latitude/longitude, GPS traces, and precise facility locations tied to an individual encounter.

Acceptable alternatives

• State‑level location is generally permissible under the Safe Harbor Method.
• If you must keep some neighborhood context, use coarse regions that cannot reasonably single out a person.

Redact Dates Related to Individuals

What to remove

• All elements of dates directly related to the individual (e.g., birth, admission, discharge, death, appointment, specimen collection) except the year.
• Any finer time detail such as month, day, hour, minute, or time zone.
• Ages 90 and above (treated as a single “90 or older” category).

Acceptable alternatives

• Year‑only for event dates and age in years when under 90.
• For trending, consider multi‑year bins (e.g., 2019–2021) rather than month‑level timelines.

Exclude Contact Information

What to remove

• Telephone numbers.
• Fax numbers.
• Email addresses (personal or work).

Acceptable alternatives

• Route communications through a study coordinator or portal unlinked from the dataset.

Omit Unique Identification Numbers

What to remove

• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers (billing, patient portal, or financial accounts).
• Certificate and license numbers (professional, driver’s license, state IDs).

Acceptable alternatives

• Use randomly generated study keys not mathematically linked to original identifiers.

Remove Biometric and Photographic Identifiers

What to remove

• Biometric identifiers such as fingerprints, voiceprints, retinal/iris scans, and hand or face geometry templates.
• Full‑face photographs and any comparable images that could enable recognition.

Acceptable alternatives

• Use measurements or features only if they cannot be used to recognize an individual and an expert affirms very small re‑identification risk.
• When retaining images for clinical context, remove or obfuscate full‑face and uniquely identifying features before sharing.

Address Other Unique Identifying Characteristics

What to remove

• Vehicle identifiers and serial numbers, including license plates (e.g., VINs, registration IDs).
• Device identifiers and serial numbers (e.g., implant IDs, IMEI/serials for wearables or home devices).
• Web Universal Resource Locators (URLs) that point to personal profiles, portals, or shared files.
• Internet Protocol (IP) address numbers associated with an individual.
• Any other unique identifying number, characteristic, or code, except a re‑identification code created and managed under HIPAA’s re‑identification provisions.

Implementation tips

• Automate checks with a Safe Harbor Method ruleset, then perform a human review to confirm context does not inadvertently re‑identify someone.
• Document decisions to demonstrate adherence to the HIPAA Privacy Rule and your organization’s De‑Identification Standards.

Summary

Applying HIPAA De‑Identification Requirements means removing the 18 Safe Harbor identifiers and validating that the remaining dataset cannot reasonably identify a person. Combine automation with human oversight, prefer coarse generalization (state, year, 90+), and use non‑derivable study IDs. These practices protect Health Information Privacy while preserving analytic value.

FAQs.

What are the 18 HIPAA identifiers that must be removed for de-identification?

The Safe Harbor checklist requires removing: (1) Names; (2) All geographic subdivisions smaller than a state, including street address, city, county, precinct, and equivalent geocodes; (3) All elements of dates (except year) related to an individual, plus categorizing ages 90 and over as “90+”; (4) Telephone numbers; (5) Fax numbers; (6) Email addresses; (7) Social Security numbers; (8) Medical record numbers; (9) Health plan beneficiary numbers; (10) Account numbers; (11) Certificate/license numbers; (12) Vehicle identifiers and serial numbers, including license plate numbers; (13) Device identifiers and serial numbers; (14) Web URLs; (15) IP address numbers; (16) Biometric identifiers (e.g., fingerprints, voiceprints); (17) Full‑face photographs and comparable images; (18) Any other unique identifying number, characteristic, or code (except as allowed for re‑identification codes).

How does removing geographic subdivisions protect patient privacy?

Fine‑grained locations can uniquely pinpoint individuals—especially in rural areas or small neighborhoods. By limiting to state‑level data (and only using 3‑digit ZIPs when the population threshold is met), you reduce linkage risk from voter rolls, property records, or public maps, helping ensure de‑identified data cannot be traced back to a person.

Can biometric identifiers be used in de-identified health data?

Not under Safe Harbor. Biometric identifiers and full‑face images must be removed. In limited cases, transformed features that cannot enable recognition may be used if an expert determines the re‑identification risk is very small and documents the method, but raw or readily reversible biometrics are not permitted.

What is the difference between Safe Harbor and Expert Determination methods under HIPAA?

Safe Harbor is a rule‑based approach: remove the 18 identifiers and ensure you have no actual knowledge of re‑identification risk. Expert Determination is a risk‑based approach: a qualified expert applies statistical or scientific principles to conclude the risk is very small, documents the analysis, and may allow certain elements to remain in generalized or transformed form. Both satisfy the HIPAA Privacy Rule when applied correctly.