HIPAA’s 18 Identifiers: The PHI Safe Harbor List Explained

The HIPAA Privacy Rule defines Protected Health Information (PHI) and outlines De-identification Standards that let you share data without compromising patient privacy. Under the Safe Harbor Method, PHI is no longer regulated once you remove 18 specific identifiers and have no actual knowledge that the remaining data could identify an individual. This guide explains those identifiers by category, how Safe Harbor works, and what to consider for Covered Entities Compliance.

By understanding the identifiers and the choices between the Safe Harbor Method and the Expert Determination Method, you can reduce Data re-identification risk while preserving data utility for operations, quality improvement, and research.

Names and Geographic Subdivisions

First, remove any names that could point to the individual or to their relatives, employers, or household members. This includes full names, nicknames, maiden names, and other variants that could reasonably identify a person.

• Names: Any personal name of the individual, relatives, employers, or household members.
• Geographic subdivisions smaller than a state: Street address, city, county, precinct, ZIP code, and comparable geocodes. The only exception is the initial three digits of a ZIP code if the combined area has more than 20,000 people; otherwise use 000 for those three digits.

Because location details strongly enable re-identification, also scan free text for embedded addresses or landmarks that could function as geocodes.

Dates and Contact Information

Remove all elements of dates (except year) for dates directly related to an individual, such as birth, admission, discharge, and death. Ages over 89 and any date elements (including year) that imply such ages must be aggregated into a single category of “90 or older.” When in doubt, generalize—keep only the year where permissible and redact finer granularity like month, day, and time.

• Telephone numbers
• Fax numbers
• Email addresses

These contact points often persist across systems and make linking to a specific person straightforward; removing them is essential under the HIPAA Privacy Rule.

Government and Account Numbers

Unique alphanumeric codes are powerful identifiers, particularly when reused across institutions. Eliminate these fields entirely rather than masking them, which can still allow linkage.

• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers (e.g., billing, patient portal, or banking accounts)
• Certificate or license numbers (e.g., driver’s license, professional licenses)

If you must retain internal tracking, create a new random key that is not derived from any of these numbers and store the crosswalk separately with strict access controls.

Vehicle and Device Identifiers

Vehicles and physical devices

• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers (e.g., implanted device IDs, equipment serials)

Network and web identifiers

• Web URLs
• IP address numbers

Even without names, URLs and IPs often point to user accounts, facilities, or home networks. Treat logs and metadata with the same rigor you apply to clinical records.

Biometric and Image Identifiers

• Biometric identifiers, including finger and voice prints
• Full-face photographic images and any comparable images

Biometrics are inherently unique and persistent. Images that show a full face—or that are otherwise comparable in their ability to identify a person—must be removed or obscured before sharing.

Safe Harbor De-identification Method

Under the Safe Harbor Method, data are de-identified when you: (1) remove all 18 identifiers about the individual and their relatives, household members, or employers, and (2) have no actual knowledge that the remaining information could identify the person alone or in combination with other data. When applying Safe Harbor, generalize ZIPs to the first three digits only where population thresholds are met and aggregate ages over 89 into “90 or older.”

Practical steps to apply Safe Harbor

• Inventory data elements and free-text fields; search for patterns like names, addresses, and dates.
• Remove or generalize the 18 identifiers, including in attachments and image metadata.
• Document decisions, exceptions (e.g., 3-digit ZIPs), and quality checks.
• Validate there is no residual, obvious identification risk before release.

Safe Harbor vs. Expert Determination

Choose the Expert Determination Method when you need to retain some detail that Safe Harbor would remove (for example, month of service). A qualified expert evaluates your dataset and certifies that the risk of re-identification is very small, while documenting the techniques and assumptions used. Both methods satisfy HIPAA’s De-identification Standards when properly executed.

Limitations and Compliance Considerations

Safe Harbor is a rules-based checklist, not a guarantee. Data re-identification risk can persist through linkage with external datasets, especially in small populations, rare events, or highly specific timelines. In such situations, add extra protections (further generalization, suppression, or Expert Determination) before sharing.

• The 18th identifier: Any other unique identifying number, characteristic, or code must be removed unless it is a compliant re-identification code created under HIPAA’s re-identification provision and stored separately.
• Governance: Maintain policies, workforce training, and Business Associate Agreements that reflect your chosen method and scope of data sharing.
• Data minimization: Share only the fields necessary for the stated purpose; avoid collecting or retaining identifiers you do not need.
• Quality assurance: Combine automated scanning (e.g., for dates, numbers, and addresses) with manual review of free text and images.
• Documentation: Keep clear records of your de-identification workflow, decisions, and periodic audits to support compliance.

Conclusion

The Safe Harbor Method operationalizes the HIPAA Privacy Rule by removing 18 identifiers so your dataset no longer constitutes PHI. Use it when a straightforward checklist suffices; use the Expert Determination Method when you need more detail with measured risk. In all cases, pair de-identification with robust governance to control residual risk and sustain compliance.

FAQs

What are the 18 HIPAA identifiers?

1. Names
2. Geographic subdivisions smaller than a state (street, city, county, precinct, ZIP; only the first three ZIP digits may be used where the combined area has >20,000 people; otherwise use 000)
3. All elements of dates (except year) for dates directly related to an individual, and all ages over 89 (aggregate to “90 or older”)
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. IP address numbers
16. Biometric identifiers (e.g., finger and voice prints)
17. Full-face photographic images and comparable images
18. Any other unique identifying number, characteristic, or code (except a compliant re-identification code)

How does the Safe Harbor method protect PHI?

It removes these 18 identifiers for the individual and related persons and requires that you have no actual knowledge the remaining data could identify someone. Once both conditions are met, the dataset is not PHI under HIPAA, allowing broader use and disclosure while maintaining privacy.

What are the risks of data re-identification?

Linkage attacks can combine your de-identified dataset with outside information (e.g., news reports, voter rolls, or public directories). Risks rise in small populations, rare conditions, or precise timelines. Reduce risk by further generalizing, suppressing small cells, sampling, and applying the Expert Determination Method when needed.

How often should the identifier list be reviewed?

The 18-identifier list is stable, but your de-identification process should be reviewed at least annually and whenever you change data sources, vendors, or release practices. Regular audits, retraining, and documentation help ensure your Safe Harbor or Expert Determination implementation remains compliant and effective.