Is Age a HIPAA Identifier? The 89+ Exception and What Counts as PHI

Age sits in a gray area under HIPAA. On its own, it is not always a direct identifier, but it can contribute to Identifiable Health Information when combined with other details. This guide explains the 89+ exception, clarifies what counts as Protected Health Information (PHI), and shows you how to handle age data to protect patient privacy while preserving analytic value.

Age as a HIPAA Identifier

Age by itself (for individuals younger than 90) is not one of HIPAA’s 18 direct identifiers. However, when age is linked to clinical details by a covered entity, it becomes part of PHI because it can help identify a person in context. In other words, age is a quasi-identifier: harmless alone, but risky in combination with other data elements.

For de-identified data using HIPAA’s Safe Harbor method, you may report age in years for people ages 0–89. The treatment changes for very old individuals due to higher re-identification risk; that special rule is often called the “89+ exception,” and it is explained next.

The 89+ Exception in HIPAA

The “89+ exception” refers to HIPAA’s rule that ages over 89 must be masked in de-identified datasets. Practically, anyone who is 90 or older must be reported in a single category labeled “90 or older.” Importantly, age 89 is not subject to this rule; the cutoff is strictly 90+.

What the rule requires

• Recode all ages 90 and above to “90 or older.”
• Do not include the year of birth or any Date Elements that would reveal a precise age over 89.
• Ensure derived fields (for example, “age at visit”) also respect the 90+ aggregation.

Why this matters: individuals in their nineties and above are rarer, and their exact ages can make them uniquely identifiable. Aggregating protects patient privacy without discarding the group’s analytic signal. Under Expert Determination (a separate de-identification route), an expert may allow alternate handling if the re-identification risk is demonstrably very small.

Definition of Protected Health Information

PHI is health information that: (1) is created or received by a covered entity or its business associate, (2) relates to an individual’s health, care, or payment for care, and (3) identifies the individual or could reasonably be used to identify them. When those conditions are met, demographic details such as age, certain Date Elements, and location are part of the PHI package.

Examples

• A clinic record containing a diagnosis and the patient’s age is PHI because the covered entity maintains it and it can identify the person in context.
• Age alone, outside a healthcare context and without linkage to an individual, is not PHI; but the same age inside a medical record is PHI.

HIPAA Identifiers and Their Scope

HIPAA’s Safe Harbor lists 18 identifiers that must be removed to treat data as de-identified. Key categories include:

• Names.
• Geographic subdivisions smaller than a state (with limited ZIP code exceptions), and precise street addresses.
• All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death dates), and all ages over 89 and elements of such ages; report as “90 or older.”
• Telephone, fax, and email addresses.
• Social Security, medical record, health plan beneficiary, and account numbers.
• Certificate/license numbers.
• Vehicle and device identifiers/serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers (for example, fingerprints, voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Together, these items define the scope of what must be removed under Safe Harbor. Age under 90 may remain as a general demographic variable; age 90+ must be aggregated.

De-Identification of PHI

Two HIPAA-compliant methods

• Safe Harbor: remove all 18 identifiers. Keep only the year for Date Elements, and aggregate ages 90+ to “90 or older.”
• Expert Determination: a qualified expert documents that the risk of re-identification is very small, allowing flexible transformations beyond Safe Harbor when justified.

Limited Data Set (not de-identified)

A Limited Data Set remains PHI but excludes direct identifiers (for example, names, full addresses, contact numbers). It may retain certain Date Elements and broader geography for research, public health, or operations under a Data Use Agreement. Because it is not fully de-identified, it is not for public release. The 90+ aggregation requirement is part of Safe Harbor; for a Limited Data Set, your Data Use Agreement and risk controls govern how you handle very old ages.

Whichever route you choose, align your Health Information De-Identification strategy with patient privacy goals and the minimum necessary standard.

Aggregation of Ages Over 89

Age Aggregation Standards in practice

• Always include a “90 or older” bucket for Safe Harbor de-identification.
• Use analytically meaningful brackets (for example, 0–17, 18–44, 45–64, 65–74, 75–84, 85–89, 90+) to preserve trends while protecting identity.
• For time-based analyses, compute age at a defined reference date; then apply the 90+ rule consistently.

Implementation tips

• Strip month and day from Date Elements (keep only the year) when using Safe Harbor; remove year-of-birth for anyone whose calculated age is 90+.
• Re-check downstream fields (for example, ages embedded in notes or filenames) to prevent leakage.
• For Limited Data Sets, document how you treat advanced ages in the Data Use Agreement even if full aggregation is not required.

Conclusion

Age under 90 can remain as a general demographic in de-identified data; age 90+ must be grouped as “90 or older.” Keep only permissible Date Elements, decide between Safe Harbor, Expert Determination, or a Limited Data Set, and apply consistent controls so your analytics respect both accuracy and patient privacy.

FAQs

Is age always considered a HIPAA identifier?

No. Age under 90 is not one of the 18 direct identifiers. However, when a covered entity links age to health details, it becomes part of PHI, and in combination with other fields it can help identify a person. For de-identified data, ages 0–89 may be shown in years; ages 90+ are treated differently.

What is the 89+ exception under HIPAA?

It is the rule that in de-identified datasets, everyone age 90 or older must be reported as “90 or older,” and you must not include the year of birth or other Date Elements that would reveal a precise age above 89. Age 89 is not included in this requirement.

How is age data de-identified in compliance with HIPAA?

Under Safe Harbor, remove all 18 identifiers, keep only year for Date Elements, and recode any age 90+ to “90 or older.” Under Expert Determination, an expert may approve alternative handling if the re-identification risk is very small. In a Limited Data Set (which is still PHI), treatment of age is governed by the Data Use Agreement.

What information qualifies as Protected Health Information (PHI)?

PHI is individually identifiable health information held by a covered entity or its business associate that relates to health status, care, or payment. It includes clinical data plus identifiers and certain demographics (like Date Elements and geography) that could reasonably identify an individual.