The 18 HIPAA Identifiers
The 18 HIPAA Identifiers
The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted. These are the 18 HIPAA Identifiers that are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. When personally identifiable information is used in conjunction with one’s physical or mental health or condition, health care, or one’s payment for that health care, it becomes Protected Health Information (PHI).
- Name
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image - Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual
If a communication contains any of these identifiers, or parts of the identifier, such as initials, the data is to be considered “identified”. To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.
Decedent Research
Be aware that the HIPAA Privacy rule protects individually identifiable health information of deceased individuals for 50 years following the date of death. If the research will include any identifiers linked to living persons or involves accessing death records maintained by the State Registrar, local registrars, or county recorders, the project must be approved in advance.
The 18 HIPAA Identifiers
The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted. These are the 18 HIPAA Identifiers that are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. When personally identifiable information is used in conjunction with one’s physical or mental health or condition, health care, or one’s payment for that health care, it becomes Protected Health Information (PHI).
- Name
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image - Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual
If a communication contains any of these identifiers, or parts of the identifier, such as initials, the data is to be considered “identified”. To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.
Decedent Research
Be aware that the HIPAA Privacy rule protects individually identifiable health information of deceased individuals for 50 years following the date of death. If the research will include any identifiers linked to living persons or involves accessing death records maintained by the State Registrar, local registrars, or county recorders, the project must be approved in advance.