De-identification of Protected Health Information: How to Anonymize PHI

The de-identification of Protected Health Information enables covered entities and business associates to use or disclose health information to third parties for any purpose without being restricted by the requirements of the HIPAA Privacy Rule. However, it is important to be aware that other laws may apply to uses and disclosures of de-identified health information.

You can use our free Protected Health Information Guide to learn how to de-identify and anonymize PHI. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, health information can be freely disclosed.

Why De-Identify Protected Health Information?

Protected Health Information (PHI) is individually identifiable health information – whether digital, paper, or oral – that relates to an individual’s health condition, treatment for the condition, or payment for the treatment. To protect the information, the HIPAA Privacy Rule stipulates which uses and disclosures of PHI are required or permitted, which uses and disclosures require consent or attestation, and which uses or disclosures are only allowed with the authorization of the subject of the information.

The HIPAA Privacy Rule requirements limit how PHI can be used or disclosed. For example, while it is still protected, PHI cannot be used for beneficial studies that require large data sets from multiple sources such as medical research studies, policy assessments, and life sciences research. However, when individually identifiable health information is no longer individually identifiable, it is no longer protected, and the limitations of the HIPAA Privacy Rule no longer apply.

Designated Record Sets and HIPAA Anonymization

To best understand the HIPAA-compliant methods of PHI de-identification, it is important to know what designated record sets and HIPAA anonymization are. There are two types of designated record sets:

Designated record sets maintained by a healthcare provider contain health, health care, and billing records about an individual. Designated record sets maintained by a health plan contain enrolment, payment, claims, and medical management records. The records within designated record sets are used by covered healthcare providers and health plans to make decisions about individuals, for example, diagnoses, eligibility for treatment, and co-pays.

Because the records in a designated record set relate to an individual’s health condition, treatment for the condition, or payment for the treatment, they are protected. In addition, any identifying information included in a designated record set (i.e., name, address, phone number, etc.) assumes the same protections as the protected health, treatment, or payment records – even though it would not be protected outside a designated record set (*).

The objective of HIPAA anonymization is to remove any identifying information that is in a designated record set so that any health, treatment, or payment information left in the designated record set cannot identify the subject of the information. As mentioned above, when the health, treatment, or payment information is no longer individually identifiable, it is no longer protected and can be used or disclosed without limitation.

(*) To clarify this point, if an individual’s vehicle licence plate number and their credit card details are collected by a HIPAA-covered hospital when a patient pays for parking and maintained in separate record set, the licence plate number and credit card details are not protected by HIPAA because the reason they were collected is not regulated by HIPAA. Individual identifiers such as vehicle license plate numbers and credit card details only qualify as PHI when they are maintained in a protected designated record set with PHI. When maintained separately, individually identifiable non-health information is not protected by HIPAA.

HIPAA-Compliant De-Identification of Protected Health Information

HIPAA-compliant de-identification of Protected Health information is possible using two methods: the HIPAA Safe Harbor method and HIPAA Expert Determination. HHS’ Office for Civil Rights acknowledges that neither method of de-identification of Protected Health Information will remove all risk of re-identification, but both methods will reduce risk to a low and acceptable level.

Covered entities and business associates can use either method of de-identification to achieve the objectives of HIPAA anonymization. In both cases, any health information remaining in a designated record set will not be considered protected and will not be subject to the use and disclosure limitations of the Privacy Rule.

1.     HIPAA Safe Harbor – The Removal of Specific Identifiers

The first HIPAA-compliant way to de-identify Protected Health Information is to remove specific identifiers from the designated record set. The identifiable data that must be removed according to 45 CFR §164.514(b)(2)  are:

• Names
• Geographic subdivisions smaller than a state
• All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates – including year – that are indicative of age)
• Telephone, cellphone, and fax numbers
• Email addresses
• IP addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Device identifiers and serial numbers
• Certificate/license numbers
• Account numbers
• Vehicle identifiers and serial numbers, including license plates
• Website URLs
• Full-face photos and comparable images
• Biometric identifiers (including fingerprints and voice prints)
• Any unique identifying numbers, characteristics or codes

In the case of ZIP codes, covered entities are permitted to use the first three digits provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals. When that geographical unit contains fewer than 20,000 individuals, it should be changed to 000. According to the Bureau of the Census, that means 17 ZIP codes must have the first three digits changed to zero:

036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831

Covered entities should note that the above list of ZIP codes may change after future censuses. The list is based on 5-digit ZIP codes from the 2000 census.

IMPORTANT NOTE: The list of HIPAA identifiers was compiled in 1999 and is now out of date. Additional identifiers that must be removed from a designated record set before it can be considered de-identified include social media aliases, Medicare Beneficiary Numbers, gender, LGBTQ+ statuses, and details relating to an emotional support animal if the animal could be used to identify the subject of the health information.

2. HIPAA Expert Determination

The HIPAA expert determination method carries a small risk that an individual could be identified, although the risk is so low that it meets HIPAA Privacy Rule requirements.

This method of de-identification of Protected Health Information requires a HIPAA-covered entity or business associate to obtain an opinion from a qualified statistical expert that the risk of re-identifying an individual from the health information remaining in the designated record set is very small. In such cases, the methods used to make that determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate and made available to regulators in the event of an audit or investigation.

The expert must be a person with appropriate knowledge and experience of using generally accepted statistical and scientific principles and methods for removing or altering information to ensure that it is no longer individually identifiable.

When those methods and principles have been applied, the expert must determine that the risk of reidentification of an individual is very small. In such cases, the risk of reidentification must be very small when the information is used alone, and must remain very small should the data be combined with other reasonably available information by the anticipated recipient.

HIPAA does not define the level of risk of re-identification other than to say it should be ‘very small’. The expert should define ‘very small’ in relation to the context of the data set, the specific environment, and the ability of an anticipated recipient to be able to re-identify individuals.

Experts may come from a number of different fields and do not require any specific qualifications. What is important is that experts have experience of de-identifying data. It is that experience that regulators will look at in the event of an audit, not specific qualifications or certifications.

For further information on de-identification of Protected Health Information by HIPAA expert determination, see 45 CFR § 164.514(b)(1). Alternatively, HHS’ Office for Civil Rights has published guidance on the HIPAA de-identification of Protected Health Information, which can be viewed on this link.

De-Identification of Protected Health Information FAQs

Why is the list of HIPAA Safe Harbor identifiers the same as many definitions of PHI?

The list of Safe Harbor identifiers is the same as many definitions of PHI because some sources have mistakenly used the list to answer the question, “What is PHI?” It is important to be aware that this is not the case.

PHI – or Protected Health Information – is individually identifiable health information that relates to an individual’s past, present, or future health condition, treatment for the condition, or payment for the treatment. Only when identifiers are maintained in the same designated record set as PHI do the identifiers assume protected status.

The list of Safe Harbor identifiers is a (now incomplete) list of possible identifiers that could be maintained in the same designated record set as PHI. If so, they (and any other identifiers not included on the list) must be removed from the designated record set before any remaining PHI is considered de-identified.

Do doctors’ names have to be removed from a data set for PHI to be de-identified?

Doctors’ names have to be removed from a data set for PHI to be de-identified if the name of a doctor, individually or with other information, could be used to identify the subject of the data set. If there is very little chance of a patient being identified by a doctor’s name, then the name can remain in the de-identified data set subject to any state laws or confidentiality concerns.

Generally, with regards to the removal of names from designated data sets, the name of the patient (including nicknames, pet names, and any other names they may be known by) has to be removed, along with the names of relatives, employers, and household members. There is no requirement in HIPAA to remove the names of healthcare providers or any workforce members.

Must a Business Associate Agreement or Data Use Agreement be in place before disclosing de-identified health data to a business partner?

A Business Associate Agreement or Data Use Agreement does not have to be in place before disclosing de-identified health data to a business partner. However, covered entities can, if they wish, enter into a Data Use Agreement with the recipient of the data to specify how the recipient can use the data and prohibit its re-identification.

What is considered “appropriate knowledge and experience” for expert determination?

There is no definition of appropriate knowledge and experience for expert determination in HIPAA. However, in the event of a HIPAA compliance audit, HHS’ Office for Civil Rights would review the expert’s professional experience, their academic training, and the processes used in the de-identification of PHI in the designated record set to assess their capabilities.

Is there an expiration date for de-identified health data?

There is no expiration date for de-identified health data stipulated in the HIPAA Privacy Rule. However, the Department for Health & Human Services recognizes that “technology, social conditions, and the availability of information changes over time” and has suggested that covered entities periodically review the chosen de-identification of PHI method to ensure it meets the very low risk requirement.

Why is the list of HIPAA Safe Harbor identifiers incomplete?

The list of HIPAA Safe Harbor identifiers is incomplete because it was published a quarter of a century ago in a time before (for example) social media and emotional support animals. If a patient has a social media handle maintained with PHI in a designated record set, or information relating to an emotional support animal, that information also needs to be removed from a designated record set before it can be considered de-identified.

What is the benefit of de-identifying Protected Health Information?

The benefit of de-identifying Protected Health Information is that the de-identified data can be used for medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating patient privacy or requiring individual authorizations. Effectively, once PHI is de-identified, the restrictions of the HIPAA Privacy Rule no longer apply.

What are the two HIPAA-compliant methods for de-identifying PHI?

The two HIPAA-compliant methods of de-identifying PHI are the HIPAA Safe Harbor method and the HIPAA Expert Determination method. It is important to be aware that the list of identifiers listed in the Safe Harbor method is out of date, and organizations considering this method of HIPAA de-identification are advised to seek professional compliance advice before relying on the content of §164.514 to de-identify PHI.

How does the Expert Determination method of de-identifying PHI work?

The Expert Determination method of de-identifying PHI works by obtaining an opinion from a qualified statistical expert indicating that the risk of re-identifying an individual from the de-identified data set is very small. The methods used for this determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate.

Does the HIPAA Privacy Rule define the level of risk of re-identification in the Expert Determination method?

The HIPAA Privacy Rule does not define the level of risk of re-identification in the Expert Determination method other than stating it should be “very small”. This means the expert is required to define “very small” in relation to the context of the data set, the specific environment, what the data set will be used for, and the recipient’s reasonably anticipated ability to re-identify individuals.

What other laws can impact how de-identified PHI can be used or disclosed?

Some state laws can impact how de-identified PHI can be used or disclosed. For example, the California Consumer Privacy Act requires organizations to implement business processes to prevent the inadvertent release of de-identified information – Cal. Civ. Code §1798.140(ab)(5). It is important to be aware that, while HIPAA-covered entities are exempted from complying with the CCPA, the exemption applies to PHI. Once PHI is de-identified, the exemption no longer applies.