Is Age a HIPAA Identifier? Yes—For Ages Over 89 (Plus the Full List of 18 Identifiers)

Understanding HIPAA Protected Health Information

Protected Health Information (PHI) is any health-related data created or received by a covered entity or business associate that can reasonably identify a person. Identification can be direct (for example, a name) or indirect through combinations of data points.

The HIPAA Privacy Rule sets the conditions for using, disclosing, and de-identifying PHI. When you remove certain identifiers or otherwise reduce re-identification risk, the data may be considered de-identified and used more freely for analytics, research, and operations.

Identifying the 18 HIPAA Identifiers

Under the Safe Harbor method, you must remove these 18 identifiers from a dataset for it to be considered de-identified:

1. Names.
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and geocodes). Note: the first three digits of a ZIP code may be used only when the combined area has more than 20,000 people; otherwise use 000.
3. All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death), and all ages over 89 and any date elements (including year) indicative of such age.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate and license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP addresses.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code (except a permitted internal re-identification code that is not derived from personal data and is not disclosed).

Age as a HIPAA Identifier

Age is special under HIPAA’s de-identification standards. Ages 0–89 are not, by themselves, identifiers and may remain as precise integers in a de-identified dataset. However, any age over 89 is an identifier and must not be shown as a specific value.

For individuals aged 90 and above, you must replace the exact age with an aggregate category such as “90 or older.” This rule also affects related date elements for those individuals, because even the year can be revealing when someone is over 89.

Practical examples

• Allowed: “Age 76.”
• Not allowed: “Age 92.” Use “90 or older.”
• Not allowed: “Born May 5” (month and day are identifiers). Use “born in 1949” if under 90, and for 90+ do not reveal the birth year.

HIPAA Date Elements

Date elements are heavily regulated because they can pinpoint identity. For data directly related to an individual—such as birth date, admission date, discharge date, procedure date, death date, or date of service—you must remove all parts of the date except the year.

There is one critical exception: for individuals older than 89, even the year associated with those dates is considered identifying. In that case, do not disclose the year; instead, use “90 or older” and ensure no related date reveals age indirectly.

Dates you may keep vs. remove

• Keep: Year only (for individuals 89 or younger) for relevant events, e.g., “admitted in 2024.”
• Remove: Month, day, and any finer time units (e.g., timestamps) for all individuals.
• Remove for 90+: Any year that would indicate age or specific event timing tied to the person.

When using a Limited Data Set under a Data Use Agreement, certain date elements may be retained, but the dataset still cannot include direct identifiers like names, full addresses, or contact numbers.

De-identification Standards

HIPAA recognizes two De-identification Standards. The Safe Harbor method removes the 18 identifiers listed above (including age aggregation for 90+ and the ZIP code rule). If all are removed and no actual knowledge of re-identification exists, the data qualifies as de-identified.

The Expert Determination method uses a qualified expert to analyze and document that the risk of re-identification is very small, given the data, context, and safeguards. This path can preserve more utility (for example, keeping certain dates or granular geographies) but requires formal risk assessment and ongoing controls.

Choosing a path

• Use Safe Harbor when your use case tolerates removing the 18 identifiers and simple rules suffice.
• Use Expert Determination when you need more detail (e.g., more precise Date Elements) and can maintain risk controls.

Aggregation of Ages Over 89

Age aggregation protects privacy for the oldest populations, where uniqueness increases re-identification risk. Replace any specific age above 89 with a single bucket: “90 or older.” Do not create narrower bins (e.g., “95–99”).

Implementation tips

• Convert any age value >89 to “90 or older” before release or sharing.
• Suppress or generalize any dates that could reveal age for those individuals (including year).
• Avoid decimals or partial years (e.g., “90.5”). Use the single aggregate category uniformly.
• When reporting statistics, ensure small-cell suppression so one or two individuals cannot be singled out.

Compliance with HIPAA Privacy Rule

The HIPAA Privacy Rule applies to any covered entity or business associate, including providers, health plans, and clearinghouses. To comply, first determine whether your dataset is PHI, a Limited Data Set, or de-identified under Safe Harbor or Expert Determination.

Document the method used, apply technical and administrative safeguards, and train staff on handling PHI, Date Elements, and Age Aggregation. For sharing or research, use Data Use Agreements when appropriate and routinely review re-identification risk and suppression rules.

Conclusion

Under the HIPAA Privacy Rule, age becomes a HIPAA identifier only when it is over 89, in which case you must aggregate it as “90 or older” and avoid revealing related dates. By removing all 18 identifiers—or engaging an expert to manage risk—you can apply De-identification Standards that protect privacy while preserving analytic value.

FAQs

Is age always considered a HIPAA identifier?

No. Ages 0–89 are not identifiers under the Safe Harbor rule and may remain as exact integers in a de-identified dataset. Ages over 89 are identifiers and must be aggregated to “90 or older,” and related date elements require extra care.

When does age become protected health information?

Age is PHI whenever it appears in a record that is PHI. For de-identified data, ages 0–89 may be kept as-is, but any age over 89 must be aggregated. If age is tied to precise dates (like full birth date), those Date Elements are identifiers and must be generalized or removed.

Are there exceptions for ages under 90?

There is no special removal requirement for ages 0–89 under Safe Harbor; they can remain as exact values. Still, be mindful of small-cell counts or rare cohorts—additional generalization or suppression may be prudent to minimize re-identification risk.

What is the significance of aggregating ages over 89?

Aggregating ages over 89 into a single “90 or older” category reduces the risk that a unique, very old individual can be identified from a dataset. This Age Aggregation rule is a core part of HIPAA’s De-identification Standards and must be applied consistently wherever those ages appear.