HIPAA Identifiers: Anonymizing Data

Protected Health Information (PHI) is considered High Risk Data according to the Stanford Risk Classification Guidelines. Falling under the definition of PHI is any information that can be used to identify an individual, which personally relates to their past, present, or future health. This information must be protected – must be stored only in encrypted form and transmitted only through secure means. However, in the case of research data for publication, PHI can be anonymized such that it is no longer considered "protected", and can therefore be released without harm. You can anonymize such data by removing all 18 HIPAA identifiers:

  1.  Names
  2. Geographic subdivisions smaller than a state (except the first three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000)
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death and all ages over 89 and all elements of dates (including year) indicative of such age (except that such ages and elements may be aggregated into a single category of age 90 or older)
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code (excluding a random identifier code for the subject that is not related to or derived from any existing identifier).

For more about data anonymization please go here »

Also helpful

HIPAA Security and Privacy Policies