List of HIPAA Identifiers: The 18 PHI Elements Under the Safe Harbor Rule

Overview of HIPAA Safe Harbor Rule

The HIPAA Privacy Rule allows you to share data without patient risk by applying Safe Harbor De-identification. Under this pathway, you must remove a specific list of HIPAA identifiers so the data no longer constitutes Protected Health Information (PHI). When done correctly, recipients can use the dataset without triggering HIPAA privacy obligations.

Safe Harbor is one of two approved de-identification methods; the other is Expert Determination. With Safe Harbor, you eliminate all 18 patient identifiers and have no actual knowledge that the remaining information could identify a person. Getting this right hinges on careful treatment of Geographic Subdivision Restrictions, Biometric Data Compliance, and the handling of unique codes.

Key requirements under Safe Harbor

• Remove all 18 patient identifiers exactly as specified.
• Confirm you do not actually know the residual data could identify an individual.
• Document your process so downstream users understand the de-identification scope.

Names and Geographic Subdivisions

Names

All personal names must be removed. This includes first and last names, initials when identifying, and names of relatives, employers, or household members. Any field that could directly reveal identity counts as a patient identifier.

Geographic subdivisions smaller than a state

Remove street address, city, county, precinct, ZIP code, and equivalent geocodes. The only exception is the initial three digits of a ZIP code when the aggregated geographic unit spans more than 20,000 people; otherwise, replace those three digits with 000. States may remain, but do not disclose exact coordinates or neighborhood-level detail.

Dates and Contact Information

Dates directly related to an individual

Remove all elements of dates (except year) tied to the person, such as birth, admission, discharge, and death dates. Ages over 89 and any related date elements (including the year) must be aggregated into a single category of “age 90 or older.” Keeping only the year for other individuals is acceptable.

Contact information that must be removed

• Telephone numbers.
• Fax numbers.
• Email addresses.

These contact points are strong patient identifiers and must not appear anywhere in a Safe Harbor dataset.

Identification Numbers and Licenses

• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers (for billing, banking, or internal systems).
• Certificate and license numbers (professional or personal).

These identifiers directly or indirectly tie data back to the individual and are always removed in Safe Harbor De-identification.

Device and Vehicle Identifiers

• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers (for clinical devices, implants, wearables, or consumer devices used in care).

Vehicle and device details can be highly specific. If a dataset requires technical context, generalize the information (for example, by device category) rather than keeping a traceable serial number.

Biometric and Photographic Identifiers

• Biometric identifiers, including finger and voice prints.
• Full-face photographic images and any comparable images.

Biometric Data Compliance means excluding any template or measurement that can uniquely identify a person. Full-face or comparable images must not appear; if imagery is essential, use non-identifying clinical images and confirm they cannot be linked back to an individual.

Other Unique Identifiers

• Web URLs (personal pages, profile links, or resource locators tied to an individual).
• IP address numbers (static or dynamic) associated with the person or their devices.
• Any other unique identifying number, characteristic, or code, except as permitted for re-identification by the covered entity.

Unique Code Classification and re-identification

You may assign a code to allow your organization to re-identify records later, but that code cannot be derived from the individual’s information (for example, no encrypted SSNs) and the re-identification mechanism must remain confidential. This balances analytical utility with patient privacy while complying with the HIPAA Privacy Rule.

Conclusion

To apply Safe Harbor De-identification correctly, remove the full list of HIPAA identifiers, respect Geographic Subdivision Restrictions and date rules, exclude biometric and photographic data, and treat unique codes carefully. Doing so protects patients, preserves data utility, and keeps your workflows aligned with Patient Identifiers policy under the HIPAA Privacy Rule.

FAQs.

What are the 18 HIPAA identifiers under the Safe Harbor rule?

1. Names.
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code (with the three-digit exception and 000 rule), and geocodes.
3. All elements of dates (except year) related to an individual; ages over 89 and related dates aggregated as 90+.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code (except a confidential re-identification code used by the covered entity).

How does the Safe Harbor rule protect patient privacy?

It removes every direct and indirect patient identifier and requires that you have no actual knowledge the remaining data can identify someone. By honoring strict rules for dates, Geographic Subdivision Restrictions, biometrics, and unique codes, Safe Harbor de-identification reduces re-identification risk while enabling compliant data sharing.

Can geographic subdivisions be partially disclosed under HIPAA?

Yes, but only at permitted granularity. You may keep the state and, in some cases, the first three digits of a ZIP code when the combined area exceeds 20,000 people; otherwise, use 000. Do not include street address, city, county, precinct, or precise geocodes such as coordinates.

What types of biometric data are considered PHI under HIPAA?

HIPAA specifically lists biometric identifiers including finger and voice prints. In practice, any biometric template that can identify a person—such as iris/retina scans or facial geometry used for recognition—should be treated as PHI to maintain strong Biometric Data Compliance under the Safe Harbor framework.