Which Is Not Considered an Identifier Under the HIPAA Privacy Rule?

Overview of HIPAA Identifiers

Under the HIPAA Privacy Rule, information becomes Protected Health Information (PHI) when it links a person to health data through an “identifier.” If the link is removed so there is no reasonable basis to re-identify the person, the data are considered de-identified and fall outside HIPAA.

HIPAA recognizes two de-identification pathways: Safe Harbor and Expert Determination. Safe Harbor removes a prescribed set of identifiers; Expert Determination uses statistical methods to show very small re-identification risk. Understanding which elements are—and are not—identifiers is essential to apply either pathway correctly.

In short, items such as a state name or a year (with important exceptions) are generally not considered identifiers, while direct elements like a Medical Record Number or Health Plan Beneficiary Number are.

List of Protected Identifiers

The following categories are considered identifiers when linked to health data, and therefore make the information PHI under the HIPAA Privacy Rule:

• Names.
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent geocodes), except the first three digits of a ZIP code when the corresponding geographic unit has more than 20,000 people; otherwise the ZIP must be changed to 000.
• All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death), and all ages over 89 and related date elements, unless aggregated into a single “90 or older” category.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical Record Numbers.
• Health Plan Beneficiary Numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric Identifiers (for example, finger and voice prints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code (a unique identifying code), except as expressly permitted for re-identification under HIPAA.

Non-Identifier Examples

The following elements are generally not considered identifiers when used alone and handled properly:

• Geography at or above the state level (for example, “California,” “United States”).
• The first three digits of a ZIP code if the combined area has more than 20,000 people; otherwise the first three digits must be reported as 000.
• Year-only for dates directly related to an individual (for example, “admitted in 2024”), except that for persons older than 89, even the year may be identifying unless grouped into “90 or older.”
• Age expressed as a number from 0 through 89 (for example, “age 42”).
• Clinical details that do not themselves identify a person (for example, “type 2 diabetes,” “blood pressure 120/80”) when not combined with identifiers.
• Aggregated statistics and counts (for example, “48 patients improved”).
• Random, non-derivable study IDs used only for internal linkage, where the re-identification mechanism is kept separate and undisclosed as required by HIPAA.
• Descriptions of device type or category without device identifiers or serial numbers.

Context matters: combinations of seemingly innocuous data (for example, a rare condition plus a small town and specific date) can create re-identification risk. When in doubt, use Expert Determination.

Importance of Identifier Classification

Accurate classification determines whether data are PHI, de-identified, or eligible for a Limited Data Set. This decision governs how you may use, disclose, or publish the information and whether patient authorization, a Data Use Agreement, or other safeguards are required.

Getting identifiers right reduces breach risk, supports trustworthy analytics and research, and ensures that downstream recipients do not inadvertently re-identify individuals. Clear classification also streamlines data sharing by aligning stakeholders on what the HIPAA Privacy Rule permits.

Compliance Guidelines

• Select your de-identification pathway: apply Safe Harbor (remove all 18 identifiers) or engage Expert Determination for risk-based de-identification.
• Inventory your data fields and map each one against the 18 categories (for example, check for Medical Record Number, Health Plan Beneficiary Number, IP address, URLs, and Biometric Identifiers).
• Generalize or suppress as needed: use state-level geography, three-digit ZIPs (subject to the 20,000-population rule), year-only dates, and “90 or older” age grouping.
• Control “unique identifying code” usage: do not use codes derived from personal attributes, and never disclose the re-identification key outside permitted purposes.
• For research, public health, or operations, consider a Limited Data Set with a Data Use Agreement if dates and certain Geographic Subdivisions are necessary.
• Train your workforce on the identifier list, edge cases (for example, free text, images), and reporting procedures.
• Document decisions and retain evidence (checklists, risk assessments) to demonstrate how you met HIPAA standards.

Impact on Data Privacy

Removing identifiers meaningfully lowers the chance that health data will be traced back to a person, helping preserve confidentiality while enabling quality improvement, research, and public reporting.

However, residual risk can persist, especially when de-identified data are linked with external datasets. Robust governance, conservative generalization (for example, using broader Geographic Subdivisions), and periodic risk reviews are essential to maintain privacy over time.

Identifier Verification Procedures

Step-by-step review

• Scan structured fields for the 18 identifiers (names, addresses, dates, contact numbers, account and license numbers, Medical Record Number, Health Plan Beneficiary Number, device and vehicle identifiers, URLs, IPs, Biometric Identifiers, full-face photos, and any unique identifying code).
• Search unstructured text for patterns (for example, MM/DD/YYYY dates, phone/e-mail formats, postal addresses) and remove or generalize.
• Inspect images and PDFs for embedded faces, ID badges, and metadata that may include locations, timestamps, or device serials.
• Validate geography: restrict to state or compliant three-digit ZIPs; mask small-area references (neighborhoods, precincts).
• Normalize dates to year-only and regroup ages over 89 into a single “90 or older” bucket.
• Check system and web logs for URLs and IP addresses that may be tied to individuals.
• Review any linkage keys to ensure they are random, not derived from personal data, and that the re-identification mechanism is securely segregated.
• Perform a peer or privacy office review; record sign-off and retention period for the verification artifacts.

Conclusion

Under the HIPAA Privacy Rule, identifiers are the bridge that turns health data into PHI. Elements such as state-level geography, compliant three-digit ZIPs, year-only dates (with the 90-or-older exception), and properly managed random study IDs are not considered identifiers, while direct elements like Medical Record Number, Health Plan Beneficiary Number, Biometric Identifiers, and other unique identifying codes are. Applying clear rules, documentation, and periodic review helps you protect privacy and use data responsibly.

FAQs

What types of information are not identifiers under HIPAA?

Examples include state or higher-level geography, the first three ZIP digits when the corresponding area has more than 20,000 people (otherwise 000), year-only for dates directly related to an individual, ages 0–89, aggregate counts, clinical facts without linkage to an individual, and randomly assigned, non-derivable study codes whose re-identification keys are securely segregated.

How does HIPAA define protected identifiers?

HIPAA lists 18 categories such as names; Geographic Subdivisions smaller than a state; elements of dates (except year) and ages over 89; contact details; Social Security numbers; Medical Record Numbers; Health Plan Beneficiary Numbers; account, certificate, and license numbers; vehicle and device identifiers; URLs; IP addresses; Biometric Identifiers; full-face photos; and any other unique identifying code unless used under HIPAA’s re-identification exception.

Why is it important to distinguish identifiers in PHI?

Correctly distinguishing identifiers determines whether information is PHI and what rules apply. It enables compliant data sharing, reduces breach risk, supports reliable research and analytics, and ensures downstream users do not unintentionally re-identify individuals.

What are the consequences of misclassifying an identifier under HIPAA?

Misclassification can lead to impermissible disclosures of PHI, triggering breach notifications, regulatory investigations, corrective action plans, civil monetary penalties, potential contractual liabilities, and reputational harm. It can also disrupt research or operations if datasets must be withdrawn or remediated.