Safe Harbor Identifiers are the 18 specific categories of data that must be removed from a health record to satisfy the HIPAA Safe Harbor de-identification standard. These identifiers, defined in §164.514(b)(2) of the HIPAA Privacy Rule, include direct identifiers like names and Social Security numbers, as well as quasi-identifiers such as dates and geographic subdivisions smaller than a state. The removal of these 18 categories, combined with the covered entity having no actual knowledge that remaining information could identify the individual, renders the data no longer considered Protected Health Information (PHI).
Glossary
Safe Harbor Identifiers

What are Safe Harbor Identifiers?
The 18 specific categories of protected health information that must be removed for a dataset to be considered de-identified under the HIPAA Safe Harbor method.
The 18 identifiers encompass: names; geographic subdivisions smaller than a state; all elements of dates (except year) directly related to an individual; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers, including finger and voice prints; full-face photographic images; and any other unique identifying number, characteristic, or code. The standard explicitly requires the removal of these identifiers from the covered entity's records and prohibits the entity from having actual knowledge that the remaining information could be used alone or in combination to re-identify the individual.
The 18 HIPAA Safe Harbor Identifiers
The 18 specific categories of protected health information (PHI) that must be removed from a dataset to satisfy the HIPAA Safe Harbor de-identification standard under §164.514(b)(2).
| Identifier Category | Examples | Applies to Individual | Applies to Relatives & Household |
|---|---|---|---|
| Full name, last name, first name, middle initial, maiden name, alias | ||
| Street address, city, county, precinct, ZIP code (first 3 digits if >20,000 people) | ||
| Birth date, admission date, discharge date, date of death, exact age if >89 | ||
| Home, work, mobile, fax numbers | ||
| Any fax contact number | ||
| Personal and work email addresses | ||
| Full 9-digit SSN | ||
| MRN, patient ID, accession number | ||
| Insurance ID, member ID, group number | ||
| Financial account numbers, billing account numbers | ||
| Driver's license, professional license, DEA number | ||
| VIN, license plate numbers, vehicle registration | ||
| Implant serial numbers, device UDI, MAC address | ||
| Personal websites, social media profile URLs | ||
| IPv4, IPv6 addresses | ||
| Fingerprints, voiceprints, retinal scans, facial recognition templates | ||
| Any photographic image of the full face, comparable images | ||
| Clinical trial enrollment ID, DNA sequence, tattoo description, emergency contact info |
How Safe Harbor De-identification Works
The Safe Harbor method is a prescriptive HIPAA de-identification standard requiring the removal of 18 specific categories of identifiers from protected health information to render it no longer individually identifiable.
The Safe Harbor method requires a covered entity to remove all 18 specified identifiers from the data, and the covered entity must have no actual knowledge that the remaining information could be used alone or in combination to identify the subject. This is a purely objective, checklist-based approach distinct from the statistical Expert Determination method.
The 18 identifiers include direct identifiers like names and Social Security numbers, quasi-identifiers like dates and ZIP codes, and biometric data. If any single identifier remains, the data is not considered de-identified under this standard, and full HIPAA Privacy Rule protections still apply.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about the 18 HIPAA Safe Harbor identifiers and their role in clinical data de-identification.
The 18 HIPAA Safe Harbor identifiers are the specific categories of data that must be removed from a health record for it to be considered de-identified under the Safe Harbor method of the HIPAA Privacy Rule. These identifiers include: (1) Names; (2) All geographic subdivisions smaller than a state; (3) All elements of dates directly related to an individual; (4) Telephone numbers; (5) Fax numbers; (6) Email addresses; (7) Social Security numbers; (8) Medical record numbers; (9) Health plan beneficiary numbers; (10) Account numbers; (11) Certificate/license numbers; (12) Vehicle identifiers and serial numbers; (13) Device identifiers and serial numbers; (14) Web URLs; (15) IP addresses; (16) Biometric identifiers, including finger and voice prints; (17) Full-face photographic images and comparable images; and (18) Any other unique identifying number, characteristic, or code. The covered entity must also have no actual knowledge that the remaining information could be used alone or in combination to identify the individual.
Related Terms
Core concepts and methodologies that intersect with the 18 Safe Harbor identifiers, forming the operational backbone of clinical data de-identification.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us