Inferensys

Glossary

Safe Harbor Identifiers

The 18 specific categories of data, including names, dates, and biometric identifiers, that must be removed from a health record to satisfy the HIPAA Safe Harbor de-identification standard.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
HIPAA PRIVACY RULE

What are Safe Harbor Identifiers?

The 18 specific categories of protected health information that must be removed for a dataset to be considered de-identified under the HIPAA Safe Harbor method.

Safe Harbor Identifiers are the 18 specific categories of data that must be removed from a health record to satisfy the HIPAA Safe Harbor de-identification standard. These identifiers, defined in §164.514(b)(2) of the HIPAA Privacy Rule, include direct identifiers like names and Social Security numbers, as well as quasi-identifiers such as dates and geographic subdivisions smaller than a state. The removal of these 18 categories, combined with the covered entity having no actual knowledge that remaining information could identify the individual, renders the data no longer considered Protected Health Information (PHI).

The 18 identifiers encompass: names; geographic subdivisions smaller than a state; all elements of dates (except year) directly related to an individual; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers, including finger and voice prints; full-face photographic images; and any other unique identifying number, characteristic, or code. The standard explicitly requires the removal of these identifiers from the covered entity's records and prohibits the entity from having actual knowledge that the remaining information could be used alone or in combination to re-identify the individual.

DECONSTRUCTION OF THE DE-IDENTIFICATION STANDARD

The 18 HIPAA Safe Harbor Identifiers

The 18 specific categories of protected health information (PHI) that must be removed from a dataset to satisfy the HIPAA Safe Harbor de-identification standard under §164.514(b)(2).

Identifier CategoryExamplesApplies to IndividualApplies to Relatives & Household
  1. Names

Full name, last name, first name, middle initial, maiden name, alias

  1. Geographic subdivisions smaller than a state

Street address, city, county, precinct, ZIP code (first 3 digits if >20,000 people)

  1. Dates directly related to an individual

Birth date, admission date, discharge date, date of death, exact age if >89

  1. Telephone numbers

Home, work, mobile, fax numbers

  1. Fax numbers

Any fax contact number

  1. Email addresses

Personal and work email addresses

  1. Social Security numbers

Full 9-digit SSN

  1. Medical record numbers

MRN, patient ID, accession number

  1. Health plan beneficiary numbers

Insurance ID, member ID, group number

  1. Account numbers

Financial account numbers, billing account numbers

  1. Certificate/license numbers

Driver's license, professional license, DEA number

  1. Vehicle identifiers and serial numbers

VIN, license plate numbers, vehicle registration

  1. Device identifiers and serial numbers

Implant serial numbers, device UDI, MAC address

  1. Web Universal Resource Locators (URLs)

Personal websites, social media profile URLs

  1. Internet Protocol (IP) address numbers

IPv4, IPv6 addresses

  1. Biometric identifiers

Fingerprints, voiceprints, retinal scans, facial recognition templates

  1. Full-face photographic images

Any photographic image of the full face, comparable images

  1. Any other unique identifying number, characteristic, or code

Clinical trial enrollment ID, DNA sequence, tattoo description, emergency contact info

THE 18 HIPAA IDENTIFIERS

How Safe Harbor De-identification Works

The Safe Harbor method is a prescriptive HIPAA de-identification standard requiring the removal of 18 specific categories of identifiers from protected health information to render it no longer individually identifiable.

The Safe Harbor method requires a covered entity to remove all 18 specified identifiers from the data, and the covered entity must have no actual knowledge that the remaining information could be used alone or in combination to identify the subject. This is a purely objective, checklist-based approach distinct from the statistical Expert Determination method.

The 18 identifiers include direct identifiers like names and Social Security numbers, quasi-identifiers like dates and ZIP codes, and biometric data. If any single identifier remains, the data is not considered de-identified under this standard, and full HIPAA Privacy Rule protections still apply.

SAFE HARBOR COMPLIANCE

Frequently Asked Questions

Clear, technical answers to the most common questions about the 18 HIPAA Safe Harbor identifiers and their role in clinical data de-identification.

The 18 HIPAA Safe Harbor identifiers are the specific categories of data that must be removed from a health record for it to be considered de-identified under the Safe Harbor method of the HIPAA Privacy Rule. These identifiers include: (1) Names; (2) All geographic subdivisions smaller than a state; (3) All elements of dates directly related to an individual; (4) Telephone numbers; (5) Fax numbers; (6) Email addresses; (7) Social Security numbers; (8) Medical record numbers; (9) Health plan beneficiary numbers; (10) Account numbers; (11) Certificate/license numbers; (12) Vehicle identifiers and serial numbers; (13) Device identifiers and serial numbers; (14) Web URLs; (15) IP addresses; (16) Biometric identifiers, including finger and voice prints; (17) Full-face photographic images and comparable images; and (18) Any other unique identifying number, characteristic, or code. The covered entity must also have no actual knowledge that the remaining information could be used alone or in combination to identify the individual.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.