What are HIPAA identifiers?

How Does the HIPAA Privacy Rule Apply to Minors

The HIPAA identifiers are elements of information that can identify an individual and that have to be removed from a designated record set before the remaining content is considered de-identified using the safe harbor method of de-identification.  

In the Privacy Rule, standard §164.514 stipulates the “Other requirements relating to uses and disclosures of protected health information”. This standard covers topics such as using individually identifiable information for fundraising, verifying the identity of a person to whom Protected Health Information (PHI) is disclosed, and de-identifying PHI before it can be used as a limited data set.

In the context of de-identifying PHI before it can be used as a limited data set, the standard lists eighteen identifiers “of the individual or of relatives, employers, or household members of the individual” that must be removed from a designated record set before any health information remaining in the designated record set is no longer protected health information.

  1. Names (Full or last name and initial)
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Are HIPAA Identifiers PHI?

HIPAA identifiers are not necessarily PHI. This is because the (summarized) definition of PHI is “any information relating to an individual´s medical condition, treatment for the condition, or payment for the treatment, that is created, received, maintained, or transmitted by a Covered Entity or Business Associate that identifies the individual or could be used to identify the individual.”

Information of this nature is usually maintained in a designated record set – typically a group of records that includes medical and billing records and that is used in whole or in part to make eligibility, treatment, and payment decisions about the individual.

A designated record set will naturally include identifiers such as names, addresses, dates, etc. and when these identifiers are maintained in a designated record set, they assume the same protections as the health information maintained in the designated record set and should be considered PHI.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

However, if the same identifiers were to be stored on a database without any health information in the same group of records, they are not protected by the HIPAA Privacy Rule because the Privacy Rule only protects the “privacy of individually identifiable health information”.

Additionally, other information not included in the list of HIPAA identifiers could be included in a designated record set that could identify an individual or could be used to identify an individual – for example details of an emotional support animal or a social media alias.

What are HIPAA Identifiers? Conclusion

In conclusion, the HIPAA identifiers are the list of identifiers compiled more than twenty years ago that the Privacy Rule stipulates must be removed from a designated record set before any remaining health data is no longer protected by the Privacy Rule.

The HIPAA identifiers should only be considered PHI if they are maintained in a designated record set with the individual´s health information. If any of the identifiers are maintained in a group of records that does not include the individual´s health information, they are not protected by the Privacy Rule, but may be subject to state privacy and security regulations that preempt HIPAA.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/