The 18 protected health information identifiers are names, geographic subdivisions smaller than a state, all elements of dates related to an individual except year, telephone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers and serial numbers including license plate numbers, device identifiers and serial numbers, web Uniform Resource Locators, Internet Protocol address numbers, biometric identifiers including finger and voice prints, full-face photographic images and comparable images, and any other unique identifying number characteristic or code. These identifiers are used in the HIPAA Privacy Rule de-identification framework to define information elements that must be removed for a dataset to meet the safe harbor method, subject to the conditions that apply to geography and dates.
Geographic subdivisions smaller than a state include street address, city, county, precinct, and ZIP code, with limited handling allowed for the initial three digits of a ZIP code when population thresholds are met and the remaining digits are removed. All elements of dates related to an individual include birth date, admission date, discharge date, date of death, and any other date directly linked to the person, and ages over 89 must be aggregated into a 90 or older category when de-identifying under safe harbor. Full-face photographic images include images that permit recognition, and comparable images include any image format that enables identification of the individual.
Removal of the identifiers alone is not sufficient when a covered entity or business associate has actual knowledge that the remaining information could be used to identify the individual. De-identification also depends on avoiding unique codes or characteristics that function as identifiers, including internal patient numbers, device or session tokens, and other values that permit re-identification by the recipient or through linkage. When a dataset is intended for public release or broad sharing, the de-identification decision should be documented with the method used and the controls applied to prevent re-identification.
Workflows that involve analytics, research support, quality improvement, and vendor services should distinguish de-identified information from a limited data set and from identified protected health information. A limited data set can include certain dates and certain geographic information but remains protected health information and requires a data use agreement with defined permitted uses and safeguards. Misclassification of datasets creates disclosure and breach exposure, so organizations should align de-identification, contracting, and access controls with the HIPAA Privacy Rule, HIPAA Security Rule when electronic protected health information is involved, and HIPAA Breach Notification Rule response procedures when an impermissible disclosure occurs.