HIPAA Identifiers to Be Removed (Safe Harbor): The 18-Item List for De‑Identification

HIPAA Safe Harbor Method Overview

The HIPAA Privacy Rule’s de-identification standard offers two paths: Expert Determination or the Safe Harbor method. This guide focuses on Safe Harbor, which requires PHI removal through the unique identifier exclusion of 18 specific data elements and confirmation that you have no actual knowledge the remaining data could identify an individual (including relatives, employers, or household members).

Safe Harbor is a practical data anonymization technique for health data privacy compliance. When you apply the HIPAA Safe Harbor criteria, remove the listed identifiers from structured fields, free text, images, headers, footers, and file metadata. You may keep an internal re-identification code if it is not derived from the individual’s information and you do not disclose it outside your organization.

Names and Geographic Subdivisions Removal

Remove all personal names associated with the record. This includes names of the individual, relatives, employers, and household members. Names are direct identifiers and must never remain in a Safe Harbor data set.

Remove all geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and equivalent geocodes (for example, latitude/longitude, census tracts). The only exception is the initial three digits of a ZIP code when the population of the corresponding three-digit area exceeds 20,000; otherwise, replace the three digits with 000. State and country may remain.

Date and Age De-Identification

Remove all elements of dates (except year) that are directly related to an individual. This includes birth date, admission date, discharge date, date of death, appointment timestamps, and any other time components such as month, day, and exact time. Retaining only the year satisfies the Safe Harbor requirement for dates.

Aggregate ages over 89 into a single category of “age 90 or older.” For individuals in this group, remove all elements of age (including the year) unless you present them only as “90+.” This reduces the risk of re-identification while meeting the de-identification standard.

Contact Information Elimination

Eliminate direct contact channels that can link records back to a person. Remove:

• Telephone numbers.
• Fax numbers.
• Email addresses.
• Web URLs (Uniform Resource Locators).
• IP addresses (Internet Protocol addresses).

These identifiers often persist in message bodies, signatures, log files, and document properties. Scrub both visible content and hidden metadata to meet HIPAA Safe Harbor criteria and ensure compliant PHI removal.

Personal Identification Numbers Exclusion

Exclude financial, governmental, and clinical identifiers that uniquely tie a record to a person. Remove:

• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers (including financial or patient-portal accounts).
• Certificate and license numbers (for example, driver’s licenses or professional licenses).

Check for these values in barcodes, QR codes, and attachments. If a number can be decoded back to a listed identifier, it must be removed to maintain health data privacy compliance.

Device and Vehicle Identifiers Removal

Strip identifiers that tie data to specific equipment or transportation assets. Remove:

• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers (for example, medical device UDIs or hardware serials in DICOM headers).

These values can uniquely single out a person’s device or vehicle usage, defeating de-identification if left in place.

Biometric and Photographic Data De-Identification

Remove identifiers that capture inherent physical or behavioral traits. This includes:

• Biometric identifiers, including fingerprints and voiceprints (treat other biometric templates, such as retina/iris scans or hand geometry, as identifying as well).
• Full-face photographic images and any comparable images (for example, frontal video frames that reveal the face).
• Any other unique identifying number, characteristic, or code that could enable identification. You may maintain a non-derivative, internal re-identification code, but do not share it outside your organization.

Applied together, these unique identifier exclusions implement the Safe Harbor de-identification standard and support robust data anonymization techniques without compromising analytical utility.

FAQs

What are the 18 HIPAA identifiers to be removed?

The Safe Harbor list is: (1) Names; (2) Geographic subdivisions smaller than a state (street, city, county, precinct, ZIP, geocodes), with the three-digit ZIP exception when population exceeds 20,000; (3) All elements of dates (except year) directly related to an individual, and ages over 89 aggregated to 90+; (4) Telephone numbers; (5) Fax numbers; (6) Email addresses; (7) Social Security numbers; (8) Medical record numbers; (9) Health plan beneficiary numbers; (10) Account numbers; (11) Certificate/license numbers; (12) Vehicle identifiers and serial numbers, including license plates; (13) Device identifiers and serial numbers; (14) Web URLs; (15) IP addresses; (16) Biometric identifiers, including finger and voice prints; (17) Full-face photos and comparable images; (18) Any other unique identifying number, characteristic, or code.

How does the Safe Harbor method ensure data privacy?

It operationalizes HIPAA’s de-identification standard by mandating removal of 18 direct identifiers and requiring you to have no actual knowledge that the remaining data could identify a person. When you also scrub free text and metadata, this PHI removal approach meets HIPAA Safe Harbor criteria while preserving useful, non-identifying information for secondary use.

Can ages over 89 be included in de-identified data?

Yes—represent them only as “age 90 or older.” Do not include the specific age, birth year, or other date elements for individuals older than 89, because those details increase re-identification risk.

What types of biometric identifiers must be removed under HIPAA?

At a minimum, remove fingerprints and voiceprints. In practice, treat other biometric templates (such as retina/iris scans, face geometry, hand geometry) as identifying. Also remove full-face photographs and comparable images, which are listed separately but function as direct identifiers.