De-identification of Protected Health Information

Health Information

The de-identification of Protected Health Information removes Privacy Rule and the Security Rule protections from any information remaining in a designated record set as this information cannot be used to commit fraud, abuse, or theft if it is acquired by a bad actor. However, there are set methods for de-identifying Protected Health Information.

HIPAA Privacy Rule limitations only applies to individually identifiable health information. If PHI is de-identified or anonymized, which means there is no way to determine the identity of the person, and re-identification of the person is not possible, the PHI can now be freely shared or disclosed.

The de-identification of PHI allows the sharing of health data in different ways without breaking patient privacy or needing patient consent or authorization before doing so. De-identified PHI can be disclosed for medical research studies, comparative studies, policy evaluations and other studies and analysis.

There are two ways to proceed with HIPAA-compliant de-identification of PHI: By Safe Harbor or By Expert Determination. None of the methods of PHI de-identification will eliminate all risk of re-identifying the patients, but both methods will minimize risk to a suprisingly low and acceptable level. Make use of any method described below to de-identify PHI so that it is no longer subject to HIPAA Privacy Rule restrictions.

Safe Harbor Method – Removing Specific Identifiers

This method removes certain identifiers from the data set. The identifiable information which should be taken out are:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (other than year) associated with a person (such as admission and discharge dates, date of birth, date of death, all ages over 89 years old, and elements of dates (which include year) that indicate age)
  • Contact numbers
  • Email addresses
  • Social Security numbers
  • IP addresses
  • Website URLs
  • Medical record numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Account numbers
  • Vehicle identifiers and serial numbers including license plates
  • Device identifiers and serial numbers
  • Biometric identifiers (including finger and voice prints)
  • Full face photos and comparable images
  • Any unique identifying numbers, characteristics or codes

When it comes to zip codes, covered entities can use the first three digits as long as the geographic unit created by mixing those first three digits has over 20,000 people. If that geographical unit has less than 20,000 people it must be changed to 000. Based on the Bureau of the Census, that means 17 zip codes should have the first three digits adjusted to zero.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Expert Determination Method

This method bears some risk that a person may be identified. But the risk is very low that it would still satisfy the HIPAA Privacy Rule requirements. HIPAA covered entity or business associates must inquire the opinion of a statistical expert to make sure that the risk of re-identifying a person from the data set is really small. In such instances, the techniques used should be documented and kept by the covered entity or business associate and made accessible to government bodies in case of an investigation or audit.

The expert should be an individual with proper know-how and experience of utilizing statistical and scientific principles and techniques for removing or modifying information to ensure that it is not individually identifiable. It is important that the expert has the experience of deidentifying data. Regulators will be looking at that experience in case of an audit, and not the expert’s specific skills or certifications. When applying methods and principles, the expert should find out if the risk of reidentification of a person is really small. The risk of reidentification ought to be very small when the data is used by itself, and should stay very small if the data happen to be coupled with other available information that a recipient has access to.

HIPAA is not defining the level of risk of re-identification besides saying that it ought to be ‘very small’. The expert must specify ‘very small’ in connection with the context of the data set, the particular environment, and the capability of a person to be able to reidentify persons. For more details on de-identifying PHI using expert determination see 45 CFR § 164.514(b)(1). The U.S. Department of Health and Human Services’ Office for Civil Rights has released guidance on de-identification of PHI which is available on this link.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: