Are dates considered PHI under HIPAA?

Most date elements are PHI. Specifically, all elements of dates directly related to an individual (admission date, discharge date, date of birth, date of death) must be redacted to year-only granularity. Year alone is allowed under the Safe Harbor method.

Does HIPAA require redacting ZIP codes?

Partial. Geographic subdivisions smaller than a state must be removed, but the first three digits of a ZIP code can stay if the corresponding region has more than 20,000 people. The HHS publishes a list of ZIP prefixes that fail the population threshold.

What happens if HIPAA redaction is incomplete?

The disclosure may be a HIPAA breach. Penalties range from $100 to $50,000 per violation depending on culpability, with annual caps. The HHS Office for Civil Rights has issued multi-million-dollar settlements for incomplete de-identification, and state attorneys general can bring parallel actions.

What Information Must Be Redacted Under HIPAA?

Q: What information must be redacted under HIPAA?

HIPAA Safe Harbor de-identification requires removal of 18 identifiers including names, dates more specific than year, geographic data smaller than a state, phone and email, SSN, medical record numbers, account numbers, biometrics, full-face photos, and any unique identifying code.

HIPAA requires removal of 18 specific Safe Harbor identifiers from patient records before they can be considered de-identified and shared without authorization. The list includes names, dates more specific than year, geographic data smaller than a state, phone and fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number, characteristic, or code.

The 18 HIPAA Safe Harbor identifiers

The list comes from 45 CFR § 164.514(b)(2). To de-identify patient health information under the Safe Harbor method, all of these must be removed from the record:

Names. 2. Geographic subdivisions smaller than a state, except the first three digits of a ZIP code if the population of that ZIP region is greater than 20,000. 3. All elements of dates (except year) directly related to an individual. 4. Phone numbers. 5. Fax numbers. 6. Email addresses. 7. Social Security numbers. 8. Medical record numbers. 9. Health plan beneficiary numbers. 10. Account numbers. 11. Certificate/license numbers. 12. Vehicle identifiers and serial numbers including license plates. 13. Device identifiers and serial numbers. 14. Web URLs. 15. IP addresses. 16. Biometric identifiers including finger and voice prints. 17. Full-face photographs and comparable images. 18. Any other unique identifying number, characteristic, or code.

What HIPAA does NOT require to be redacted

Year-only date elements (without month and day) can stay. Three-digit ZIP code prefixes are allowed if the underlying region has more than 20,000 people. Aggregate or summary statistics derived from de-identified data are not subject to redaction. Clinical content that does not identify the individual (diagnoses, procedure codes, lab values) is fine to share once the identifiers are removed.

What goes wrong in practice

Healthcare organizations regularly miss identifiers buried in document metadata, comments, embedded images, and file properties. Names appear in headers and footers that automated tools sometimes skip. Dates appear in sentences like "the patient was admitted on March 15, 2024": easy to redact in a structured form, harder to catch in narrative text. According to the HHS Office for Civil Rights, improper de-identification is a recurring source of HIPAA enforcement actions.

What Information Must Be Redacted Under HIPAA?

The 18 HIPAA Safe Harbor identifiers

What HIPAA does NOT require to be redacted

What goes wrong in practice

More answers

Can You Redact in Word?

Do Law Firms Need Redaction Software?

Does Clio Have Redaction?

Does RedactifyAI Redact Video?