Which HIPAA PHI Identifiers Must Be Removed? The 18 Safe Harbor List

HIPAA Safe Harbor Method

The HIPAA de-identification Safe Harbor method requires you to remove 18 specific identifiers from protected health information (PHI) and to have no actual knowledge that the remaining data could identify an individual. This approach is widely used because it offers a clear checklist of PHI removal requirements and a defensible standard for unique identifier exclusion.

• Strip all 18 Safe Harbor identifiers from structured fields and free text.
• Suppress dates and small-area locations per the geographic subdivision rules and date element suppression requirements.
• Ensure you retain no actual knowledge that the data could identify a person when combined with other information.
• If you use a re-identification code, it must not be derived from individual information and must be safeguarded separately.

Compared with expert determination, Safe Harbor is prescriptive: you follow the list and verification steps, then document your process to demonstrate compliance.

Removal of Names

Remove all names that can link a record to a person. This includes first and last names, middle names, initials, previous or alias names, and hyphenated or transliterated names. You must also remove names of relatives, employers, and household members that could reveal the individual’s identity.

• Replace names with generic labels (for example, “Patient,” “Mother”).
• Search notes, headers, footers, scanned forms, and filenames for residual names.
• Review signatures and name stamps in attachments and images; redact or crop them out.

Geographic Subdivision Restrictions

Remove all geographic subdivisions smaller than a state. This includes street address, city, county, precinct, ZIP code, and equivalent geocodes. The only limited exception allows retaining the first three digits of a ZIP code if the combined area of all ZIPs sharing those three digits has more than 20,000 people; otherwise, replace the three digits with 000.

• Delete apartment numbers, street names, PO boxes, and precise geocoordinates.
• Redact facility names if they reveal a small-area location uniquely tied to the individual.
• Scan free-text for landmarks or directions that pinpoint residences or workplaces.

Date Elements to Remove

Remove all elements of dates directly related to an individual except the year. Suppress month, day, and any finer resolution (hour, minute, second) for dates such as birth, admission, discharge, procedure, sample collection, and death. When dates could reveal age 90 or over, special rules apply (see Age Aggregation Rules).

• Replace “05/14/2024 14:35” with “2024.”
• Delete date ranges if either endpoint could identify the person; keep only the year(s).
• Strip timestamps from images, PDFs, DICOM headers, and EXIF metadata.

Practical handling of dates

Prefer year-only reporting for events and cohorts. If year granularity still risks identification (for example, rare events in small areas), consider broader time buckets (multi-year periods) after removing other identifiers.

Age Aggregation Rules

HIPAA Safe Harbor treats advanced age as highly identifying. You may not report an exact age if it is greater than 89, nor any date element (including the year) that would disclose such age. Instead, aggregate into a single category: “age 90 or older.”

• Report “90+” rather than 90, 92, or 100.
• Do not include birth year for individuals aged 90 or over.
• Combine this rule with location suppression to avoid small, unique cells.

Contact Information Removal

Remove all direct contact channels that could be used to reach or track the individual. These Safe Harbor identifiers include telephone numbers, fax numbers, and electronic mail addresses, as well as online locators like URLs and IP addresses. Eliminating them supports biometric data privacy and curbs digital re-identification risk.

• Delete phone and fax numbers from headers, referral forms, and progress notes.
• Remove personal and work emails from structured fields and narratives.
• Strip URLs, social profile links, and IP addresses from logs and audit trails.

Removal of Identification Numbers

Delete numeric and alphanumeric identifiers that tag a person or their records. These include Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and certificate or license numbers. Also remove vehicle identifiers and serial numbers (including license plates) and device identifiers and serial numbers.

• Search for record locator numbers, barcodes, and QR-encoded IDs in files and images.
• Remove any other unique identifying number, characteristic, or code not expressly permitted for de-identified datasets.
• If you maintain a re-identification key internally, store it separately and ensure it cannot be computed from the released data.

Handling Biometric and Image Identifiers

Biometric identifiers and facial imagery can uniquely identify a person even without text. Remove biometric identifiers such as fingerprints and voiceprints, and remove full-face photographic images and any comparable images where a face can be recognized.

• Redact or crop full-face photos; avoid side profiles or images that still allow recognition.
• Strip image metadata (timestamps, GPS) and check videos for frames showing the face.
• Consider tattoos, scars, and unusual physical markers as potentially identifying characteristics.

Conclusion

To meet HIPAA de-identification via Safe Harbor, apply strict unique identifier exclusion: remove the 18 identifiers, suppress dates and sub-state geographies, aggregate ages 90+, and ensure you have no actual knowledge of re-identification risk. This disciplined approach delivers compliant, usable data with minimal privacy exposure.

FAQs

What are the 18 HIPAA PHI identifiers that must be removed?

The 18 Safe Harbor identifiers are:

1. Names.
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent geocodes), except that the initial three digits of a ZIP code may be kept if the combined area has more than 20,000 people; otherwise replace with 000.
3. All elements of dates (except year) for dates directly related to the individual, including birth, admission, discharge, and death; and all ages over 89 and all related date elements (including year), except that such ages may be aggregated into “90 or older.”
4. Telephone numbers.
5. Fax numbers.
6. Electronic mail addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web Universal Resource Locators (URLs).
15. Internet Protocol (IP) address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code (with limited exception for internal re-identification codes that are not derived from individual information).

How does the Safe Harbor method ensure patient privacy?

Safe Harbor ensures privacy by requiring removal of the 18 enumerated identifiers and by prohibiting release if you have actual knowledge that the remaining data could identify someone. By combining explicit PHI removal requirements with documentation and review, Safe Harbor produces data with very low re-identification risk while preserving analytical utility.

Can ages over 89 be reported under HIPAA guidelines?

Yes, but only in aggregate. You must not report an exact age above 89 or any date element (including birth year) that reveals such age. Instead, report the single category “age 90 or older,” which satisfies the Safe Harbor age aggregation rule.

Is removal of IP addresses required for de-identification?

Yes. IP address numbers are one of the 18 Safe Harbor identifiers. You must remove IPs from logs, audit trails, and embedded metadata to achieve HIPAA-compliant de-identification under the Safe Harbor method.