HIPAA’s Individually Identifiable Health Information (IIHI): What Counts, What Doesn’t, and How to De‑Identify It

Definition of Individually Identifiable Health Information

Individually Identifiable Health Information (IIHI) is any health-related data that can be linked to a specific person. Under the HIPAA Privacy Rule, IIHI covers information about an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care—when an identifier or a reasonable basis exists to identify the person.

When IIHI is created or received by a covered entity or business associate, it is Protected Health Information (PHI). Once properly de-identified, it becomes De-Identified Health Information and falls outside HIPAA’s use and disclosure restrictions, though other obligations (contracts or state laws) may still apply to health information privacy compliance.

What counts as IIHI

• Direct identifiers such as names, Social Security numbers, medical record numbers, and contact details.
• Indirect or quasi-identifiers that, in combination, could identify someone (for example, full dates of service, detailed geography, or rare conditions).
• Demographic data tied to health context, including age, gender, and payer information, when it can reasonably identify a person.

What doesn’t count as IIHI

• Information that has been de-identified using the Safe Harbor Identifiers removal or the Expert Determination Method.
• Aggregated statistics that do not permit identification of any individual.
• Data expressly outside HIPAA’s scope (e.g., certain employment records or education records), though other laws may still apply.

Safe Harbor De-Identification Method

The Safe Harbor method removes a specific set of identifiers known as the Safe Harbor Identifiers and requires that you have no actual knowledge the remaining information could identify the individual. When performed correctly, the result is de-identified and no longer subject to the HIPAA Privacy Rule.

How to apply Safe Harbor

1. Inventory the dataset and locate all direct identifiers (names, numbers, photos) and quasi-identifiers (detailed locations, dates).
2. Remove or generalize each Safe Harbor Identifier. For geography, keep only the state; for dates, keep only the year (with special handling for age over 89).
3. Confirm no re-identification risk remains that you actually know about in your context of use and release.
4. Document your steps and governance decisions for health information privacy compliance.

Nuances that matter

• ZIP codes: You may retain only the first three digits if the combined area has more than 20,000 people; otherwise replace with 000.
• Dates: Keep the year only for dates directly related to the individual (birth, admission, discharge, death). Ages over 89 must be grouped as “age 90 or older.”
• Unique Identifying Codes: You may assign a re-identification code if it is not derived from PHI, cannot be translated back to identity, and the mapping mechanism is kept separately and not disclosed.

Expert Determination De-Identification Method

The Expert Determination Method uses a qualified expert to conclude, using accepted statistical and scientific principles, that the risk of re-identification is very small. The expert must document the methods and results, creating a defensible record of de-identification.

Typical expert techniques

• Generalization and suppression of quasi-identifiers (e.g., age bands, state-level geography, broader time windows).
• Perturbation or noise addition to reduce linkage risks while preserving analytic value.
• Minimum cell-size rules and outlier treatment to mitigate identity disclosure in small groups.
• Formal risk metrics and testing (e.g., k-anonymity–style assessments) suitable to your data and release context.

When to choose Expert Determination

• You need to retain some detail (e.g., month of service or city-level location) that Safe Harbor would remove.
• Your use case demands stronger utility while still achieving a very small re-identification risk under expert guidance.

List of Safe Harbor Identifiers

• Names.
• All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalents), except the initial three digits of a ZIP code when the corresponding area includes more than 20,000 people; otherwise use 000.
• All elements of dates (except year) for dates directly related to an individual (e.g., birth, admission, discharge, death), and all ages over 89 must be aggregated as “age 90 or older.”
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric Identifiers, including finger and voice prints.
• Full-face photographs and any comparable images.
• Any other unique identifying number, characteristic, or code, except a permitted re-identification code that is not derived from PHI and whose translation mechanism is not disclosed.

Regulatory Impact of De-Identification

Once information is de-identified under Safe Harbor or the Expert Determination Method, it is no longer PHI and HIPAA’s use and disclosure provisions do not apply. You can use, share, and analyze the data without HIPAA authorization, subject to other applicable laws, ethical commitments, and contracts.

De-identified data differs from a Limited Data Set, which still contains certain identifiers (e.g., city, full dates) and requires a data use agreement. Maintain documentation of your de-identification approach to evidence HIPAA Privacy Rule compliance.

Governance and documentation

• Retain a written attestation of Safe Harbor steps or the expert’s report for Expert Determination.
• Control any re-identification keys separately, restrict access, and prohibit unauthorized re-identification attempts.

Use of De-Identified Information in Research

De-identified health information can generally be used or disclosed for research without individual authorization under HIPAA. Because identities cannot be readily ascertained, many projects using such data do not constitute human subjects research under institutional policies, though some organizations still require an administrative or IRB determination.

Practical guidance for researchers

• Describe the de-identification method (Safe Harbor or Expert Determination) in study materials and data management plans.
• Apply minimum cell-size rules in publications to avoid small counts that could re-identify participants.
• Coordinate with data providers on permitted uses and publication review to prevent inadvertent disclosure.

Best Practices for De-Identification Compliance

• Plan for privacy by design: define purpose, audience, and release channels before choosing a method.
• Minimize data: share only the fields and rows needed for the task; consider aggregation where feasible.
• Prefer Safe Harbor for standard disclosures; use the Expert Determination Method when analytic value requires more detail.
• Mitigate linkage risk: generalize locations, bin ages, shift dates consistently, and suppress small cells.
• Maintain governance: log transformations, access controls, retention limits, and any Unique Identifying Codes used for re-linkage.
• Test and monitor: perform periodic re-identification risk assessments, especially after combining datasets or releasing updates.
• Train teams: ensure staff understand Safe Harbor Identifiers, biometric identifiers, and obligations under the HIPAA Privacy Rule.

Summary

IIHI becomes de-identified—and leaves HIPAA’s scope—when you remove Safe Harbor Identifiers with no actual knowledge of identifiability, or when an expert determines the re-identification risk is very small. Choose the method that fits your use case, document your process, and apply strong governance to keep utility high and privacy risks low.

FAQs.

What information qualifies as individually identifiable health information under HIPAA?

It is health-related information that can identify a person directly or indirectly. This includes data about health status, care provided, or payment that is linked to identifiers (like name, contact details, medical record number) or can reasonably identify someone when combined with other details.

How does the Safe Harbor de-identification method work?

You remove all Safe Harbor Identifiers (18 categories, including names, detailed geography, full dates except year, contact numbers, biometric identifiers, and more) and ensure you have no actual knowledge that the remaining data could identify an individual.

What is the Expert Determination method for de-identification?

A qualified expert applies statistical and scientific techniques to conclude that the risk of re-identification is very small for your specific data and context. The expert documents methods and results, and you retain that documentation to demonstrate compliance.

Can de-identified health information be used in research without authorization?

Yes. Once information is de-identified under HIPAA, it is no longer PHI and can typically be used or shared for research without individual authorization, subject to institutional policies, contracts, and any other applicable laws.