18 HIPAA Identifiers for PHI De-Identification

Learn about the 18 HIPAA identifiers essential for de-identifying protected health information and safeguarding patient privacy in healthcare.

HIPAA requires the removal of 18 specific identifiers to de-identify Protected Health Information (PHI) and protect patient privacy. These identifiers include anything that could reveal a person's identity when handling healthcare data. Here's a quick list:

Names
Geographic data below the state level
Dates (except year)
Ages 89 and above
Phone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan numbers
Account numbers
Certificate/license numbers
Vehicle and license plate information
Device IDs and serial numbers
Web URLs
IP addresses
Biometric data
Face photos and similar images

Proper de-identification methods, like the Safe Harbor Method (removing all identifiers) or the Expert Determination Method (statistical analysis to ensure low re-identification risk), are essential for HIPAA compliance. These steps allow safe data sharing while protecting patient privacy.

Understanding HIPAA Identifiers

HIPAA identifiers refer to data points that could reveal an individual's identity within healthcare records. These identifiers go beyond basic details and, when combined or analyzed, can compromise patient privacy.

The HIPAA Privacy Rule requires the de-identification of Protected Health Information (PHI) to allow controlled data sharing for research and operational needs.

Healthcare organizations need to focus on three main areas when dealing with HIPAA identifiers:

Purpose and Scope
Individual data elements may seem harmless on their own but can combine to expose a person's identity. In healthcare, this risk is especially high when multiple identifiers are used together.
Risk Management
Risk management plays a crucial role in protecting patient data.

"Censinet helps organizations address risk across their business, including patient data and medical records." ^[1]
De-identification Standards
The HIPAA Privacy Rule provides two main methods to de-identify data:
- Expert Determination Method
  This method involves statistical analysis to ensure there is a very low risk of re-identification. Scientific validation is required to confirm its effectiveness.
- Safe Harbor Method
  This approach removes all 18 types of identifiers outlined by HIPAA. It’s a straightforward way to comply by completely eliminating identifiable information.

These methods simplify the de-identification process and promote secure data practices. As healthcare becomes increasingly digital, managing identifiers effectively has become even more important. Organizations must strike a balance between making information accessible and protecting patient privacy.

Focusing on these areas strengthens patient data security while supporting HIPAA compliance and overall healthcare cybersecurity efforts.

1. Names

Under HIPAA regulations, names are considered primary identifiers and must be completely removed from patient records. This includes:

Full names
First and last names, even when listed separately
Maiden names
Nicknames
Records of legal name changes
Relatives' names connected to the patient
Healthcare providers' names tied to patient care

Even partial name details can lead to re-identification, which is why strict removal is necessary to meet HIPAA standards. The Safe Harbor Method specifically requires the elimination of all names from patient data.

Using initials or pseudonyms is not allowed unless verified through the Expert Determination Method. To ensure compliance, healthcare organizations should implement both automated and manual review processes to catch any oversights.

Before sharing data for research, analysis, or public health purposes, organizations must confirm that all names have been removed. This ensures HIPAA compliance while allowing the data to be used responsibly.

2. Geographic Data Below State Level

HIPAA rules require removing or generalizing location data below the state level to ensure privacy. This includes:

Street addresses and apartment numbers
City names
County names
ZIP codes
Census tract details
Geographic coordinates
Precinct numbers

The only exceptions are broader geographic details like state, territory, or country names. For ZIP codes, you can keep the first three digits - but only if all ZIP codes with those digits collectively cover a population of more than 20,000.

To manage geographic identifiers effectively, healthcare organizations should:

Use automated tools to detect and remove location data
Replace specific details with general state-level information
Double-check ZIP code population thresholds
Keep a log of all changes for compliance purposes
Train staff to identify indirect geographic details in free-text fields

For example, phrases like "local hospital" or "nearby clinic" are fine, but something specific like "Memorial Hospital on 5th Street" would need to be adjusted. Clinical notes, admission records, and transfer documents should also be reviewed for any geographic references.

Additionally, don't overlook location data found in:

Billing addresses
Insurance paperwork
Referral forms
Emergency contact information
Provider network directories
Facility transfer records

3. Dates (Except Year)

When removing direct identifiers, dates need careful attention. All dates tied to individuals should be removed or adjusted, except for the year. This step helps refine the de-identification process.

Here’s how to handle dates in patient records:

Year-Only Format: Replace full dates with just the year. For example:
- Change "March 15, 2025" to "2025."
Age Calculation: Instead of exact dates, record the patient’s age at the time of service. For patients aged 89 or older, see section 4 for specific guidelines.
Date Ranges: Use only the years to express date ranges. For instance:
- Replace "January 2024 - March 2025" with "2024-2025."

Make sure to check dates in areas such as:

Clinical notes
Lab results
Prescription details
Follow-up schedules
Medical device logs
Insurance claims
Payment records

Automated tools can simplify the process by standardizing date formats across patient records. This ensures compliance while keeping the clinical information meaningful.

4. Age 89+ Information

Patients aged 89 and older need extra care when handling their data because smaller group sizes make it easier to identify individuals. To address this, their ages should be grouped together to reduce the risk of re-identification.

Combine all ages 89 and above into a single category labeled "89+". Avoid including exact ages or birth years.

This grouping method helps ensure that personal health information (PHI) remains anonymous and secure.

Examples of Proper Age Handling:

89 years old → 89+
92 years old → 89+
101 years old → 89+

Documentation Guidelines:

Replace specific ages with "89+" in records.
Remove birth years to block the possibility of calculating exact ages.
Limit detailed age mentions in clinical notes to avoid revealing identifiable information.

Next, we’ll discuss other identifiers that play a role in data de-identification protocols.

5. Phone Numbers

Under HIPAA regulations, phone numbers are classified as Protected Health Information (PHI) and must be fully removed during the de-identification process.

Types of Phone Numbers to Remove:

Primary numbers
Mobile numbers
Work numbers
Emergency contact numbers
Other contact numbers
Extension numbers

Steps to Properly Remove Phone Numbers:

To comply with HIPAA, all parts of a phone number - digits, formatting, international codes, and any related metadata - must be completely erased.

Common Phone Number Formats to Look For:

Format Type	Example
Standard	(555) 123-4567
International	+1-555-123-4567
With Extension	555-123-4567 x890
Local	123-4567

Every phone number format listed here must be entirely removed.

Additional Areas to Check:

Fax numbers: These must also be removed from records.
Metadata: Ensure all metadata tied to phone numbers in EHR systems is deleted.
Voice messaging systems: Clear any stored phone numbers.
Contact logs: Review thoroughly for any lingering data.
Appointment reminders: Purge all phone numbers from reminder systems.

When using automated tools for de-identification, configure them to identify and delete both common and uncommon phone number formats. Conduct regular audits to confirm compliance and ensure no phone numbers remain in datasets.

If working with third-party services, confirm that their de-identification processes address all phone number variations to meet HIPAA standards.

The next section will cover the de-identification of fax numbers.

6. Fax Numbers

Fax numbers are a HIPAA identifier that must be removed or altered during the process of PHI de-identification. While fax machines may seem outdated, they are still widely used in healthcare to send patient information. Removing fax numbers thoroughly is crucial to maintaining patient privacy.

You’ll often find fax numbers in:

Medical records and insurance claims
Referral forms and lab results
Prescription records
Document headers and footers
Cover sheets and contact sections
Signature blocks
Facility directories

Format Variations

Fax numbers can appear in different formats. Here are some common examples:

Format Type	Example Pattern	Areas to Check
Standard	(555) 123-4567	Headers, footers
International	+1-555-123-4567	International correspondence
Extension-based	555-123-4567 ext. 890	Department directories
Internal	x4567	Internal routing slips

Steps for Effective Removal

To ensure fax numbers are removed, follow these steps:

Digital Records:

Delete fax numbers and related metadata from EHR systems, patient portals, and automated routing tools.

Physical Documents:

Redact fax numbers on paper records.
Black out fax details on archived documents.
Update pre-printed forms to eliminate fax fields.
Replace fax cover sheet templates.

System Configuration:

Use automated tools to detect and remove fax number formats.
Set up validation checks to prevent the re-entry of fax numbers.
Schedule regular audits to confirm compliance.

Additional Considerations

Ensure backup systems don’t retain fax number data.
Look for fax numbers in scanned document archives.
Review older correspondence for any overlooked fax details.
Confirm that external systems follow these same protocols.

Using platforms like Censinet RiskOps™ can simplify these tasks and help maintain HIPAA compliance. Work with your compliance team to ensure all procedures meet current regulations and internal guidelines.

7. Email Addresses

Email addresses are a key part of HIPAA-protected information and must be completely removed to ensure compliance. As digital identifiers, they can directly connect to an individual's identity and healthcare details.

Where Email Addresses Are Found

You'll often find email addresses in:

Patient registration forms
Electronic health records (EHR)
Patient portals
Appointment scheduling systems
Digital communication logs
Newsletter subscription lists
Insurance-related correspondence
Telehealth platform accounts

Why Email Addresses Pose a Risk

Email addresses often contain personal details like names, birth years, or organizational affiliations, making them a direct link to patient identities.

Steps for Proper De-identification

Completely Remove Email Addresses
- Delete the username, @ symbol, and domain name.
- Masking part of the address isn’t enough to meet compliance standards.
Erase Associated Metadata
- This includes data stored in:
  - Message headers
  - Contact databases
  - Audit logs
  - System backups and archived communications
Deploy Technical Safeguards
- Use tools for automated email detection.
- Apply data validation checks and conduct regular audits.
- Ensure secure transmission protocols are in place.

Tips for Staying Compliant

To strengthen compliance efforts:

Use encrypted email systems.
Adopt secure email solutions tailored for healthcare.
Train staff on proper email handling and security practices.
Establish business associate agreements (BAAs) with third parties.
Regularly audit systems to ensure no unauthorized email retention.

Platforms like Censinet RiskOps™ can help streamline the removal of protected health information (PHI) and ensure compliance across healthcare systems ^[1].

Once email addresses are handled, the next step is addressing Social Security numbers, which require equally stringent measures.

Social Security Numbers (SSNs) are some of the most sensitive identifiers under HIPAA. These nine-digit numbers are used to identify individuals, and if exposed, they can lead to identity theft, fraud, or financial damage. Managing SSNs carefully is crucial to protect patient information.

Common Storage Locations

Healthcare organizations often store SSNs in systems like:

Patient registration platforms
Insurance verification databases
Billing and payment records
Employee files
Medical records
Claims processing systems

Key Security Measures

Access Controls
Limit access to SSNs based on roles, ensuring only authorized personnel can view them. Use tools like multi-factor authentication, session timeouts, and access logs to monitor and secure usage.
Data Protection
Encrypt SSNs during storage and transmission, including backups and cloud environments, to keep them secure from unauthorized access.
De-identification Techniques
Replace SSNs with randomly generated tokens or secure identifiers and maintain detailed documentation of the removal process.

These steps align with broader methods for de-identifying protected health information (PHI).

Healthcare providers should collect SSNs only when absolutely necessary for patient care or regulatory compliance. Tools like Censinet RiskOps™ can help organizations streamline SSN protection and maintain compliance across their systems ^[1].

9. Medical Record Numbers

Medical Record Numbers (MRNs) are unique codes assigned to patients within healthcare systems. These identifiers help connect patient records across different departments, making them highly sensitive under HIPAA regulations.

Security Implications

MRNs come with certain risks because they link various pieces of patient information, such as:

Medical records across multiple departments
Patient histories and treatment plans
Billing and insurance details
Tracking of care throughout visits

De-identification Requirements

To protect patient privacy, MRNs need to be de-identified effectively. Here's how:

Data Transformation: Replace MRNs with random identifiers that maintain the ability to link records internally but conceal the original data. Keep the process documented and restrict access to authorized personnel only.
Access Controls: Implement role-based access restrictions, maintain audit logs, and securely store the mapping between original and de-identified MRNs.
System Integration: Ensure all systems (EHRs, labs, billing, and research databases) handle MRNs consistently. This unified approach strengthens the de-identification process for protected health information (PHI).

Risk Management Solutions

Tools like Censinet RiskOps™ offer standardized protocols for de-identifying MRNs and monitoring associated risks ^[1].

Best Practices Table

Area	Requirement	Implementation
Storage	AES-256 encryption	Use encryption methods outlined earlier
Access	Strict role-based controls	Limit access based on roles
Transmission	TLS 1.3	Protect data during transfer
Backup	Encrypted copies	Keep backups secure
Monitoring	Audit logging	Track system activity

Securing MRNs with the same level of care as other sensitive identifiers is crucial to maintaining HIPAA compliance and protecting patient information.

sbb-itb-535baee

10. Health Plan Numbers

Health plan numbers are unique identifiers that connect patients to their insurance coverage. Under HIPAA, these numbers are considered Protected Health Information (PHI).

To protect health plan numbers, use methods like data masking, tokenization, encryption (both during storage and transmission), and strict access controls. Regular audits are essential to ensure HIPAA compliance and to maintain security standards. These steps are part of a broader effort to de-identify PHI while managing it responsibly.

Healthcare organizations can also use cybersecurity and risk management tools like Censinet RiskOps™ to evaluate and address risks tied to sensitive identifiers such as health plan numbers ^[1]. These solutions help protect patient data while maintaining its usability.

11. Account Numbers

Once health plan numbers are de-identified, managing account numbers becomes just as important. These numbers, such as billing or hospital identifiers, can tie back to sensitive payment or treatment details, linking them to PHI.

Here are some approaches to handle account numbers while staying compliant and keeping data useful:

Complete removal: Delete account numbers entirely when full de-identification is needed.
Masking: Show only the last four digits (e.g., ****1234) if partial identification is acceptable.
Tokenization: Replace actual numbers with random tokens to retain data relationships without exposing the original values.

To keep account numbers secure, consider these measures:

Role-based access: Limit access to only those who need it.
Encryption: Use strong encryption for both storage and transmission.
Audit logs: Keep a record of all access and changes.
Data segregation: Store account numbers separately from other PHI.

Even partial account numbers can pose re-identification risks when combined with other data. Regular risk assessments are essential to stay HIPAA-compliant while ensuring your systems remain functional.

12. Certificate/License Numbers

Certificate and license numbers are considered HIPAA-sensitive because they are linked to professional credentials. To ensure Protected Health Information (PHI) is properly de-identified, these numbers must be excluded from datasets unless there's a documented business need to keep them.

With tools like Censinet RiskOps™, you can identify and manage certificate and license numbers efficiently, simplifying risk management processes while strengthening data protection. Up next, we’ll cover other identifiers that demand careful handling.

13. Vehicle and License Plate Info

When working on de-identifying records, details related to vehicles must also be carefully removed.

Vehicle-related identifiers, such as Vehicle Identification Numbers (VINs) and license plate numbers, are considered HIPAA identifiers because they can directly connect to a patient’s identity. To protect patient privacy, these details need to be removed or replaced in records.

Here’s what to look for and address:

Vehicle Identification Numbers (VINs)
License plate numbers
Vehicle registration details
Parking permits
Medical transport identifiers
Other unique vehicle features

For healthcare organizations using Censinet RiskOps™, the system can help automate the detection and removal of vehicle-related identifiers, ensuring compliance with PHI de-identification requirements ^[1].

If vehicle information is clinically relevant, replace specific details with general terms. For example, instead of documenting “2025 Ford F-150 License ABC123,” use a broad description like “pickup truck.” This keeps the record useful without risking patient privacy.

In close-knit communities, even partial vehicle details can reveal someone’s identity. Treat vehicle-related data with the same level of caution as other direct identifiers to stay HIPAA-compliant and safeguard patient information.

Continue applying these strict measures as you address other categories of identifiers.

14. Device IDs and Serial Numbers

Device data, like other identifiers, needs careful handling to safeguard PHI. Device IDs and serial numbers are particularly sensitive and must be properly de-identified.

Examples of devices with identifiable data include:

Implanted devices: pacemakers, insulin pumps, neurostimulators
Diagnostic tools: MRI machines, CT scanners, ultrasound devices
Monitoring systems: heart rate monitors, blood pressure devices
Treatment equipment: infusion pumps, ventilators, dialysis machines

To prevent linking this data back to patients, unique device identifiers should be removed or masked.

Tools such as Censinet RiskOps™ help manage and identify risks in device data while maintaining HIPAA compliance ^[1].

De-identification Tips for Device Data

When de-identifying device data but keeping it useful for research, consider these steps:

Replace specific serial numbers with general category labels
Record the type of device without including unique identifiers
Use broad terms instead of specific model details

For instance, instead of noting "Medtronic Pacemaker Model A123456", simply document it as "cardiac pacemaker." This approach aligns with HIPAA's strict de-identification standards.

Be cautious even with partial identifiers, as they can sometimes reconstruct PHI, especially for rare or specialized devices. Always apply thorough de-identification methods.

Lastly, ensure strong cybersecurity measures and risk management practices are in place to protect device data during sharing or research activities.

15. Web URLs

Web URLs can sometimes contain Protected Health Information (PHI), especially in systems like electronic health records, patient portals, and internal healthcare platforms.

Here are some common examples where PHI might show up in URLs:

Links for patient portal logins that include embedded identifiers
URLs for accessing laboratory results
Appointment confirmation links
Medical record access URLs
Telemedicine session links

To protect patient privacy, organizations should take steps to mask or remove identifiable information from URLs. This can include replacing direct patient identifiers with non-identifiable tokens, structuring URLs to avoid sensitive data, and using secure access controls with temporary links. Regularly reviewing URL patterns is also essential to ensure compliance.

Just like phone numbers or email addresses, URLs must be carefully managed to safeguard patient privacy. Tools like Censinet RiskOps™ can help streamline the process of assessing and monitoring URL handling practices ^[1].

Even seemingly harmless URLs can pose compliance risks if they reveal patterns that could identify specific patients. Frequent reviews and updated safeguards are key to keeping patient data secure.

Up next, we’ll take a closer look at IP addresses and their role in PHI de-identification.

16. IP Addresses

IP addresses are considered HIPAA identifiers because they can potentially reveal a person's or device's identity when paired with other information. To protect patient privacy, IP addresses must be either removed or anonymized during the de-identification process. This step is consistent with other de-identification methods and helps ensure the security of protected health information (PHI).

17. Biometric Data

To comply with HIPAA regulations, biometric data must be removed or altered to ensure patients cannot be identified. This type of data includes physical or behavioral traits unique to individuals, which require extra care during the de-identification process.

Examples of biometric identifiers:

Fingerprints
Retinal scans
Voice patterns
Hand geometry
DNA sequences

How to de-identify biometric data effectively:

Convert biometric markers into irreversible hash values.
Strip away identifying patterns while keeping relevant medical information intact.
Use randomized identifiers to replace original biometric data.
Store de-identified data in separate databases to prevent accidental linking.

It’s also essential to maintain strict separation between databases used for biometric authentication and those holding clinical data. This prevents any unauthorized connections between the two.

Best practices for handling biometric data:

Always encrypt biometric data during both storage and transmission.
Restrict access to this data to authorized personnel only.
Keep detailed records of de-identification procedures.
Perform regular compliance audits to ensure ongoing adherence to regulations.

Many healthcare facilities now use biometrics for security purposes, but it’s crucial to ensure these measures protect patient privacy and data integrity. Up next, we’ll dive into the de-identification of visual identifiers.

18. Face Photos and Similar Images

Facial photos and other visual identifiers can directly reveal a patient's identity, making them critical to de-identify for HIPAA compliance. These types of images require careful handling to protect privacy while maintaining their usefulness in clinical or educational settings.

Examples include:

Full-face photos
Profile pictures
X-ray images showing facial features
Video recordings
Digital images from medical procedures

To properly de-identify visual data, follow these steps:

Digital Masking: Use techniques like pixelation, blurring unique features, or cropping out identifiable areas.
Metadata Removal: Eliminate GPS data, device details, timestamps, and patient identifiers from file names.
Secure Storage: Store images in encrypted systems, use segregated databases, and implement strict access controls.

For added security, consider tools like automated de-identification software with facial recognition, multi-step verification processes, and audit trails to track image modifications. Clear guidelines for urgent image sharing are also essential.

Regular staff training and consistent audits help ensure these practices are followed. Platforms like Censinet RiskOps™ can assist with both de-identification and cybersecurity measures ^[1].

How to De-Identify Patient Data

HIPAA outlines two main methods for de-identifying protected health information (PHI): the Safe Harbor Method and the Expert Determination Method. These approaches help healthcare organizations use patient data while staying compliant with HIPAA regulations.

Safe Harbor Method

1. Systematic Review

Use automated tools and manual checks to remove all 18 HIPAA-defined identifiers from the data.

2. Documentation

Keep detailed records of procedures, modification dates, responsible personnel, and quality control measures.

3. Verification

Perform a dual review of the de-identified data to confirm all identifiers have been removed.

Expert Determination Method

This method involves a qualified expert who:

Evaluates the risk of re-identification.
Chooses appropriate de-identification techniques.
Documents the methods used.
Certifies that the risk of re-identification is minimal.

Both methods should be part of an ongoing risk management plan to ensure PHI remains protected. Tools like Censinet RiskOps™ can simplify PHI security and compliance tasks ^[1].

Best Practices for Maintaining De-identified Data

To maintain compliance and secure de-identified data:

Perform quarterly audits of de-identification processes.
Update procedures based on evolving threats.
Train staff regularly on handling PHI.
Use role-based access controls to limit data access.
Monitor system logs for any unauthorized access attempts.

Healthcare organizations should also have clear protocols for handling unusual cases or emergencies while staying within HIPAA guidelines. Regular risk assessments and updates to de-identification processes are crucial for protecting sensitive patient data.

Combining automated tools with human oversight creates a dependable system for processing large datasets accurately and in compliance with regulations. This hybrid approach reduces the chances of errors, ensuring thorough de-identification.

Common De-Identification Problems

De-identifying Protected Health Information (PHI) is essential for HIPAA compliance, but it comes with its fair share of challenges. Healthcare organizations often find it difficult to remove identifying details while keeping the data useful, especially with the rise of AI. Let’s dive into some of the main obstacles.

AI and Re-Identification Risks

AI systems today are powerful enough to analyze massive datasets and uncover patterns that could potentially re-link de-identified data to individuals. This creates a tough, ongoing battle for healthcare organizations to guard against re-identification threats.

Resource Limitations and Scaling Issues

Balancing de-identification efforts with other cybersecurity priorities is no small task. Erik Decker, CISO at Intermountain Health, highlights the role of tools in managing these challenges:

"Censinet portfolio risk management and peer benchmarking capabilities provide additional insight into our organization's cybersecurity investments, resources, and overall program." ^[1]

Scaling these processes without sacrificing accuracy is another hurdle. Will Ogle from Nordic Consulting shares:

"We looked at many different solutions, and we chose Censinet because it was the only solution that enabled our team to significantly scale up the number of vendors we could assess, and shorten the time it took to assess each vendor, without having to hire more people." [2]

Operational Challenges with Remote Work

Remote work environments add another layer of complexity. Aaron Miri, CDO at Baptist Health, explains how automation helps:

"Censinet RiskOps enables us to automate and streamline our IT cybersecurity, third-party vendor, and supply chain risk programs in one place. Censinet enables our remote teams to quickly and efficiently coordinate IT risk operations across our health system." [3]

Managing Vendor Risk

Third-party vendors often handle PHI, so healthcare organizations must ensure these vendors follow strict de-identification practices. This means conducting thorough risk assessments and keeping a close eye on their processes.

Balancing Data Usefulness and Privacy

One of the toughest challenges is finding the right balance. If de-identification goes too far, it can strip data of its value for research. On the other hand, weak measures can expose sensitive information. Striking this balance is key to protecting privacy while enabling meaningful data analysis that complies with HIPAA.

Managing HIPAA Identifiers and Protecting Patient Privacy

Handling the 18 HIPAA identifiers is crucial for maintaining compliance and safeguarding patient privacy, especially as healthcare data becomes more complex and cybersecurity threats grow. Automated risk management platforms now make the de-identification process easier and more efficient.

Aaron Miri, CDO at Baptist Health, highlights the benefits of automation:

"Censinet RiskOps enables us to automate and streamline our IT cybersecurity, third-party vendor, and supply chain risk programs in one place. Censinet enables our remote teams to quickly and efficiently coordinate IT risk operations across our health system" ^[1].

These platforms simplify risk management while strengthening PHI de-identification measures. They strike the right balance between keeping data useful and protecting privacy. Here's how they help:

Automating workflows for assessments
Offering real-time updates on compliance
Supporting team collaboration for risk management
Simplifying vendor risk evaluations
Keeping thorough audit records

How can we assist?