The De-identification Standard for Protected Health Information (PHI)

The HIPAA Privacy Rule identifies a number of elements that contain information considered to be protected health information (PHI). Covered entities (health care providers, health plans, and healthcare clearinghouses) that fall under the HIPAA Privacy Rule must use de-identification methods to remove identifiers from health information. This allows covered entities or their business associate to collect information that is not individually identifiable. 

There are two de-identification methods that can be used: 1. A formal determination by a qualified expert, or the “Expert Determination” method, or 2. removal of specified individual identifiers using the “Safe Harbor” method. The Safe Harbor method removes the 18 identifiers and actual knowledge that can be used to identify an individual. 

The 18 HIPAA Identifiers

1. Names – Full name, first name, last name, maiden name, or any other names
2. Geographic subdivisions smaller than state – Including street address, city, county, precinct, ZIP code (first three digits are okay if the geographic unit contains more than 20,000 people)
3. Dates – All dates directly related to an individual (birth date, admission date, discharge date, date of death, etc.) — except year can be retained
4. Telephone numbers – Any phone numbers
5. Fax numbers – Any fax numbers
6. Email addresses – Any email addresses
7. Social Security numbers – Full or partial SSNs
8. Medical record numbers – MRN or patient account numbers
9. Health plan beneficiary numbers – Insurance member IDs, policy numbers
10. Account numbers – Financial account numbers
11. Certificate/license numbers – Driver’s license, professional licenses, etc.
12. Vehicle identifiers – License plate numbers, VINs, serial numbers
13. Device identifiers and serial numbers – Including medical device serial numbers
14. Web URLs – Universal Resource Locators
15. IP addresses – Internet Protocol addresses (even partial)
16. Biometric identifiers – Fingerprints, voiceprints, retinal scans, etc.
17. Full-face photographs – And any comparable images
18. Any other unique identifying number, characteristic, or code – This is a catch-all for anything else that could identify an individual

Removing these identifiers through the “Safe Harbor” method will meet the de-identification standard §164.514(a) of the HIPAA Privacy Rule. 

Note: Even when this method is properly applied there is still some risk of identification. Even when data is de-identified, the risk of identification is not zero and still has the potential to link back and identify a patient in which the data corresponds. 

Website Tracking in Healthcare

Tracking technologies gather information about users as they interact with the website. This data is important in digital marketing to gather useful insights to improve the customer experience. However, website tracking, even without you realizing it, can pose significant risk in violating the HIPAA Privacy Rule. We’ve identified the most commonly violated identifiers in website tracking:

• #15 – IP addresses (captured by default in analytics)
• #14 – URLs (especially with query parameters)
• #6 – Email addresses (in forms and auto-capture)
• #4 – Phone numbers (in contact forms)
• #2 – Geographic data (city-level location from IP address)
• #18 – Unique identifiers (cookies, device IDs, session tokens)

Pilot’s HIPAA compliance solutions make your website HIPAA compliant. Our server-side analytics solution strips these identifiers before data reaches third parties like Google Analytics, Google Ads, and Meta Ads. You don’t have to abandon your marketing tools to remain HIPAA compliant. Learn how we can help your organization.