The U.S. Department of Health and Human Services (HHS) provides several web based tools to help providers understand and navigate HIPAA and its requirements. Below are summary excerpts from HHS that explain what information is considered protected under HIPAA:

Protected Health Information:

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate (see Learn More below), in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” 45 C.F.R. § 160.103.

“Individually identifiable health information” is information, including demographic data, that relates to:

• The individual’s past, present or future physical or mental health or condition;
• The provision of health care to the individual; or,
• The past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 45 C.F.R. § 160.10.

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

What are the 18 identifiers?

There are various methods that can be utilized to remove certain key identifiers, in order to de-identify the information so that HIPAA no longer applies. There are subtleties and important caveats (for example, what ZIP codes contain less than 20,000 people) but a general overview provided by HHS are provided as follows:

1. Names
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
   1. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
   2. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) addresses
16. Biometric identifiers, including finger and voice prints
17. Full-face photographs and any comparable images
18. Any other unique identifying number, characteristic, or code
    1. There may be exceptions where use of certain identifiers may be permitted
    2. Caution should be exercised at all times – see HHS links below in ‘learn more’ for details

Learn More – Primary Sources:

HHS: Summary of the HIPAA Privacy Rule

HHS: Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule