Is Age PHI Under HIPAA? What Counts—and the 90+ Rule Explained

Age as Protected Health Information

If you’ve asked “Is age PHI under HIPAA?”, the answer is: it depends on context. Under the HIPAA Privacy Rule, Protected Health Information (PHI) is health information that can identify an individual. Age by itself, outside a health-care context, is not PHI. However, once age appears in medical records or is linked to diagnoses, treatment, billing, or other health details held by a covered entity or business associate, it becomes PHI.

This distinction supports medical records confidentiality: the same age value can be either innocuous in isolation or identifying when paired with health information. The key is whether the data relates to a person’s health and could reasonably identify that person.

HIPAA Identifiers and Age

HIPAA’s De-Identification Standards list specific Health Information Identifiers that must be removed for “safe harbor” de-identification. Several directly involve age and dates:

• Date of birth (the full date) is an identifier; “year of birth” is typically acceptable in de-identified data.
• All elements of dates (except year) related to an individual—such as admission, discharge, service, or death dates—are identifiers.
• Ages of 90 and above are treated specially: they must be reported only as a single “90 or Older Age Category” in safe-harbor de-identified datasets.

These rules aim to reduce the chance that a unique combination of age and dates could point back to a specific person.

The 90+ Rule for Age Disclosure

The “90+ rule” is a HIPAA safe-harbor requirement: when releasing de-identified information publicly, you cannot share exact ages for people 90 or older. Instead, you must aggregate them as “90 or Older Age Category.” This top-coding limits re-identification risk because very advanced ages are rare and therefore more identifying.

Importantly, the 90+ rule applies to safe-harbor de-identification. It does not restrict internal clinical use, treatment, payment, or health care operations. It also differs from other permissible pathways, such as a limited dataset with a Data Use Agreement or disclosure with the individual’s authorization, where exact ages may be allowed.

Combining Age with Health Data

Age becomes especially sensitive when combined with health details. Pairing a specific age with diagnosis codes, procedures, or service dates can make a record far more unique. Add geography smaller than a state or rare conditions, and the re-identification risk rises quickly.

Under the HIPAA Privacy Rule, you should treat age as one of several quasi-identifiers that, in combination, can identify a person. Managing how age is presented—together with other attributes—helps preserve privacy while keeping data useful.

Preventing Identification Through Age Aggregation

To balance utility and privacy, apply pragmatic aggregation techniques:

• Top-code at “90 or Older Age Category” when using safe-harbor de-identification.
• Group ages into bands (for example, 0–4, 5–9, 10–14, or broader adult/geriatric brackets) to reduce uniqueness.
• Use year of birth or age-in-years without month/day when detailed dates are unnecessary.
• Combine age bands with minimum cell-size policies for public reporting to avoid small, revealing counts.
• When finer detail is essential, consider Expert Determination de-identification, where a qualified expert certifies low re-identification risk.

Compliance Practices for Age Data

Build a repeatable approach that aligns with HIPAA and organizational risk tolerance:

• Classify each dataset: PHI, limited dataset, or de-identified under the De-Identification Standards (Safe Harbor or Expert Determination).
• Apply the minimum necessary rule to uses and disclosures, and default to age aggregation when detail is not required.
• For limited datasets, execute a Data Use Agreement and define approved purposes (research, public health, operations).
• Document the method used (safe harbor vs. expert), including how ages are handled and why chosen bands meet privacy goals.
• Establish controls for medical records confidentiality: role-based access, audit logs, and periodic training focused on identifiers like age and dates.
• Adopt clear publishing standards for external reports—top-code 90+, suppress small cells, and review outputs for residual risk.

In short, age is not inherently PHI—but under the HIPAA Privacy Rule it becomes PHI when tied to identifiable health information. Use the 90+ rule and thoughtful aggregation to protect privacy while preserving analytic value.

FAQs.

Is age alone considered PHI under HIPAA?

No. Age alone is not PHI. It becomes PHI when it appears in a health-care context or is linked to other health information that can identify an individual, such as diagnoses, procedure dates, or provider records.

How does the 90+ rule protect seniors' privacy?

By requiring that anyone aged 90 or older be reported only as “90 or Older Age Category” in safe-harbor de-identified data, the rule reduces the uniqueness of very advanced ages and helps prevent re-identification.

When must age be aggregated in health data?

Aggregation is mandatory for ages 90+ when using the HIPAA safe-harbor de-identification method for public release. Beyond that, you should aggregate ages whenever combining them with other details (like dates or rare conditions) could increase re-identification risk or when your policies require small-number suppression.

Does HIPAA allow sharing exact ages under any conditions?

Yes. Exact ages may be shared for treatment, payment, and health care operations; with the individual’s authorization; with public health authorities as permitted; or within a limited dataset under a Data Use Agreement. The 90+ aggregation requirement specifically applies to safe-harbor de-identified data released without authorization.