HIPAA Privacy Rule: WHAT?
De-identification of Protected Health Information (PHI)

Privacy Rule requirements do not apply to information that has been de-identified.


The Privacy Rule makes two methods available for de-identifying health information:

  1. Remove the 18 specific identifiers listed in the Privacy Rule and determine there is no other information that may identify the individual. The identifiers are:
    • names
    • geographic subdivisions smaller than a state
    • all elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used)
    • telephone numbers
    • FAX numbers
    • electronic mail addresses
    • Social Security numbers
    • medical record numbers
    • health plan beneficiary numbers
    • account numbers
    • certificate/license numbers
    • vehical identifiers and serial numbers including license plates
    • device identifiers and serial numbers
    • web URLs
    • internet protocol addresses
    • biometric identifiers (including finger and voice prints)
    • full face photos and comparable images
    • any unique identifying number, characteristic or code
  2. Obtain an opinion from a qualified statistical expert that the risk of identifying an individual is very small under the circumstances; the methods and justification for the opinion should be documented.

Return to HIPAA Research Guide main page

Questions or comments? Contact us.
Last updated: August 26, 2003