How Many HIPAA Identifiers Are There for De-Identification? The Full List of 18

Overview of HIPAA Identifiers

Under the HIPAA Privacy Rule, the Safe Harbor Method sets De-Identification Standards for Protected Health Information (PHI). To treat data as de-identified, you must remove a specific PHI Identifiers List—18 data elements that could reasonably identify a person—and have no actual knowledge that remaining data can identify someone. Expert Determination is an alternative path that relies on statistical risk assessment.

The full list of 18 HIPAA identifiers

1. Names.
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent geocodes), except the initial three digits of a ZIP code if the aggregate area exceeds 20,000 people; otherwise replace with 000.
3. All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death), and all ages over 89 and related elements, except that such ages may be grouped as 90 or older.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers, including finger- and voiceprints.
17. Full-face photographic images and comparable images.
18. Any other unique identifying number, characteristic, or code (except a non-derivable re-identification code permitted by the Privacy Rule).

Removing all 18 under Safe Harbor is a widely used route to Health Data Privacy Compliance. If your use case needs more detail (for example, precise dates or small-area geography), consider Expert Determination to document a very low risk of re-identification.

Geographic Data Restrictions

Geographic data narrower than a state is identifying. You must remove street addresses, cities, counties, precincts, full ZIP codes, and equivalent geocodes (such as latitude/longitude or census tracts). State-level geography is generally acceptable under Safe Harbor.

The only limited exception is the three-digit ZIP rule: you may keep the first three ZIP digits only when the combined population for that three-digit area exceeds 20,000; otherwise substitute 000. When in doubt, generalize location (for example, “state” or multi-state region) to preserve utility without compromising privacy.

Date Elements in PHI

All elements of dates directly tied to an individual are identifiers—month, day, and any finer granularity (for example, timestamps). Under Safe Harbor, you may retain the year only. This applies to birth dates, admissions, discharges, deaths, appointments, specimen collection times, and similar events.

Ages over 89 are also identifiers. To comply, aggregate them into a single “90 or older” category. For individuals 89 and younger, age in years is generally permissible; avoid sharing exact dates or detailed age breakdowns (for example, months or days) unless you use Expert Determination.

Contact Information Identifiers

Communication channels

Telephone numbers, fax numbers, and email addresses are HIPAA identifiers because they directly link back to a person. Scrub these values from structured fields and free text, and avoid partials (for example, last four digits) that could still enable matching.

Digital traces

Web URLs and IP addresses are also identifiers. URLs often embed names or account tokens, and IP addresses can connect activity to a household or device. Remove them or generalize (for example, “hospital website”) to meet the HIPAA Privacy Rule’s Safe Harbor Method.

Record and account identifiers

Medical record numbers and account numbers uniquely tag an individual within a provider or financial system and must be removed. Do not replace them with hashes derived from the original values; under Safe Harbor, re-identification codes cannot be derived from Identifiable Health Information.

Government Issued Numbers

Government-linked identifiers are highly sensitive. Remove Social Security numbers, health plan beneficiary numbers (for example, Medicare/Medicaid IDs), and certificate/license numbers such as driver’s licenses or professional licenses. Partial display (for example, last four) is not Safe Harbor unless validated through Expert Determination.

Related formal identifiers

Beyond government issuance, the rule also enumerates identifiers like medical record numbers and plan IDs because they enable direct linkage to a person. Treat all such numbers as out-of-scope for de-identified data releases to maintain Health Data Privacy Compliance.

Device and Vehicle Identifiers

Vehicle identifiers and serial numbers—including license plates—can pinpoint a specific person or household and must be removed. The same applies to device identifiers and serial numbers (for example, implantable device IDs, infusion pump serials, or mobile device IMEIs associated with an individual).

Even when a device seems generic, cross-referencing can re-identify an individual. To keep datasets useful, consider categorizing devices (for example, “insulin pump present: yes/no”) without retaining unique identifiers.

Biometric and Image Identifiers

HIPAA explicitly lists biometric identifiers such as finger- and voiceprints. Remove them, along with full-face photographic images and comparable images (for example, clear profile shots). Other distinctive physical traits that uniquely single out a person can also fall under the rule’s “other unique characteristics.”

For clinical images, mitigate risk by cropping faces and stripping embedded metadata. If facial or uniquely identifying features are essential for analysis, use Expert Determination to justify retention under a documented, very low re-identification risk.

Summary

There are 18 HIPAA identifiers. Safe Harbor de-identification removes them all and forbids using any code derived from the original PHI, while Expert Determination allows more data detail if the re-identification risk is demonstrably very low. Aligning your release with these De-Identification Standards preserves data utility and protects patient privacy.

FAQs

What is the purpose of HIPAA identifiers?

They define which data elements convert Identifiable Health Information into de-identified data under the HIPAA Privacy Rule. By consistently removing the PHI Identifiers List, you apply a clear, auditable standard (Safe Harbor) to protect individuals while enabling secondary use.

How does de-identification protect patient privacy?

It reduces the chance that data can be traced back to a person. Under Safe Harbor, you remove all 18 identifiers and avoid any derived re-identification codes; under Expert Determination, a qualified expert documents a very low re-identification risk. Either approach lowers linkage risk while keeping data useful.

Can ages over 89 be considered identifiers?

Yes. Ages over 89 and any related date elements are identifiers. To comply, group them into a single “90 or older” category when using the Safe Harbor Method.

What is included under biometric identifiers?

HIPAA explicitly includes finger- and voiceprints as biometric identifiers. Full-face photos are handled separately as image identifiers, and other unique biological or physical characteristics that can single out a person may also be restricted under the rule’s catch-all category.