HIPAA Privacy Rule: The 18 Identifiers Explained with Compliance Examples

Overview of the HIPAA Privacy Rule

The HIPAA Privacy Rule governs how covered entities and business associates use and disclose Protected Health Information (PHI). PHI includes any information that relates to an individual’s health, care, or payment and that can identify the person. Your goal is to use or share only what is necessary while protecting identities.

The rule allows certain uses without authorization for treatment, payment, and healthcare operations, as well as specific public interest activities. For anything else—marketing, most research without a waiver, or disclosures outside the rule—you must meet Patient Authorization Requirements through a valid, written authorization.

To enable data sharing with minimal privacy risk, HIPAA offers two de-identification options: the Safe Harbor de-identification method and the Expert Determination method. Properly de-identified data is not PHI and may be used or disclosed outside HIPAA restrictions.

Detailed List of the 18 Identifiers

Under the Safe Harbor de-identification standard, you must remove these 18 identifiers for the individual and for relatives, employers, or household members:

1. Names.
2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code, and equivalent geocodes. You may keep the first three digits of a ZIP code only when the combined area has more than 20,000 people; otherwise replace the first three digits with 000.
3. All elements of dates (except year) directly related to an individual, such as birth date, admission and discharge dates, and date of death; plus all ages over 89 and all related date elements (including year), which must be aggregated into a single category of “age 90 or older.”
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate and license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers, including fingerprints and voiceprints (apply strict Biometric Identifier Standards when assessing biometric data).
17. Full-face photographic images and any comparable images (Full-Face Image Privacy rules prohibit retaining these in de-identified datasets).
18. Any other unique identifying number, characteristic, or code, except a re-identification code created and kept internally that is not derived from or related to PHI (Unique Identifying Codes must never enable outsiders to reverse the de-identification).

Scrutinize free-text fields, images, and PDFs for hidden identifiers. Even when the 18 items are removed, you must not have actual knowledge that remaining data could identify an individual alone or in combination with other information.

Safe Harbor De-identification Method

Safe Harbor de-identification has two requirements: remove all 18 identifiers and ensure you have no actual knowledge that the remaining information could identify the person. This is a rules-based pathway that is fast to operationalize when data elements are well understood.

Practical steps

• Inventory your data and map each field to the 18 identifiers; flag high-risk free-text and image fields.
• Apply transformations: generalize dates to year, aggregate ages over 89 to a 90+ bucket, and use the ZIP code three-digit rule with the 20,000-person threshold.
• Strip or hash direct identifiers. If you maintain a re-identification key, store it separately, ensure it is not derived from PHI, and tightly restrict access.
• Validate outputs through sampling, automated pattern checks (e.g., phone, SSN, IP formats), and manual review of notes.
• Document your procedure and keep a change log for ongoing data releases.

Common pitfalls to avoid

• Leaving identifiers in headers, footers, filenames, DICOM tags, or image metadata.
• Revealing small geographic or temporal details that enable triangulation (e.g., rare procedures on specific days in small towns).
• Overlooking narrative notes that contain names, addresses, or unique events.

Expert Determination Method

Expert Determination uses statistical and scientific principles to conclude the risk of re-identification is very small. A qualified expert applies Expert Determination Statistical Analysis and documents the methods, assumptions, and risk threshold used.

How it works

• Risk assessment: quantify how likely it is that an attacker could match the dataset to an individual using available auxiliary data.
• Privacy transformations: apply techniques such as k-anonymity, l-diversity, t-closeness, differential privacy noise, or cell suppression to reduce risk while preserving utility.
• Testing and simulation: measure re-identification risk under plausible attacker models and data linkages.
• Documentation: produce a formal opinion, describe controls, set a release scope, and define monitoring or refresh intervals.

When to choose Expert Determination

• You need to retain some quasi-identifiers (e.g., month-level dates or three-digit ZIPs in sparse regions) for analytic value.
• You have complex modalities (e.g., imaging, wearables, genomics) where strict Safe Harbor removal would destroy utility.
• You need an ongoing governance program for repeated data releases with consistent risk thresholds.

Practical Compliance Examples

Quality improvement dashboard

You remove names, full addresses, contact details, and all sub-year dates, and roll up ages 90+ to a single band. You keep year of service and state only. This satisfies Safe Harbor de-identification and enables trend analysis.

Research dataset with richer geography

You need month of service and county-level geography. An expert quantifies risk, groups sparse counties, and adds mild noise to dates. The Expert Determination opinion documents the “very small” residual risk and conditions of release.

Imaging repository

You strip DICOM headers of identifiers, remove Full-Face Image Privacy risks by excluding frontal facial scans, and blur incidental faces in clinical photos. Device serial numbers are removed; internal study IDs are replaced with non-derivable Unique Identifying Codes stored separately.

Wearable device logs

IP addresses, URLs, and device identifiers are removed. Timestamps are generalized to day and then offset uniformly within a defined window. Notes are scanned to redact names and addresses before release.

Free-text note redaction

Automated NLP flags personal names, locations, and dates, followed by human review for accuracy. Notes retain clinical content but exclude Safe Harbor identifiers and any rare events that could re-identify a patient.

Limited Data Set for public health

When de-identification is not feasible, you create a Limited Data Set (still PHI) with a Data Use Agreement. You may keep dates and city, state, and ZIP code while removing direct identifiers. Access and purpose are contractually restricted.

Importance of Patient Authorization

When a use or disclosure is not otherwise permitted, you must meet Patient Authorization Requirements. A valid authorization is specific, time-bound, written in plain language, and signed by the individual (or personal representative). It describes what will be used or disclosed, to whom, for what purpose, and how long.

Authorization is typically required for marketing, sale of PHI, many research activities without an IRB waiver, and sharing psychotherapy notes. Individuals can revoke authorization in writing, and you must honor revocation for future uses or disclosures.

Authorization is not required for treatment, payment, operations, certain public health and oversight activities, and disclosures required by law. Apply the minimum necessary standard whenever it applies.

Enforcement and Penalties

The HHS Office for Civil Rights (OCR) enforces the Privacy Rule through complaints, investigations, and audits. Outcomes can include corrective action plans, resolution agreements, and civil monetary penalties that scale by culpability and are adjusted periodically.

Willful neglect, failure to implement safeguards, or repeated noncompliance increases exposure. Criminal penalties may apply for knowing wrongful disclosures. Business associates are directly liable, and contracts should clearly assign responsibilities and breach reporting duties.

Strong governance—policies, workforce training, risk assessments, and auditable processes for de-identification—reduces risk and demonstrates due diligence if OCR investigates.

FAQs

What are the 18 HIPAA identifiers?

They are the specific data elements that must be removed for Safe Harbor de-identification: names; sub-state geography (with the three-digit ZIP/20,000-person rule); all date elements except year and ages over 89 (aggregated to 90+); phone, fax, and email; SSN; medical record, health plan, account, and certificate/license numbers; vehicle and device identifiers; URLs and IP addresses; biometric identifiers; full-face and comparable images; and any other unique identifying number, characteristic, or code (excluding permitted internal re-identification codes).

How does the Safe Harbor method ensure de-identification?

It requires removing all 18 identifiers and confirming you have no actual knowledge that remaining data could identify an individual. You standardize transformations (e.g., year-only dates, 90+ age band), scrub free text and metadata, and document your process to consistently meet the rule’s criteria.

When is patient authorization required under HIPAA?

You need authorization when a use or disclosure is not otherwise permitted by the rule—common examples include marketing, sale of PHI, psychotherapy notes, and many research uses without a waiver. A valid authorization must be specific, time-limited, signed, and revocable.

What are examples of compliant data redaction?

Examples include replacing names with non-derivable study IDs, removing full addresses while keeping state, converting full dates to year, aggregating ages 90+ into one category, deleting URLs and IP addresses from device logs, and excluding full-face images or other biometric identifiers from datasets.