What is the HIPAA Safe Harbor Provision?

The HIPAA safe harbor provision is part of the HIPAA Privacy Rule. The HIPAA Privacy Rule limits the possible uses and disclosures of protected health information, or PHI. The HIPAA safe harbor method is a method of de-identification of protected health information. De-identification is the removal of specific information about a patient that can be used alone or in combination with other information to identify that patient.

What is Protected Health Information (PHI)?

The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI). 

The Privacy Rule defines “Individually identifiable health information” as information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual

and that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 

What is HIPAA Safe Harbor De-Identification?

So long as information exists as PHI, its use and disclosure are both limited by the Privacy Rule. HIPAA safe harbor de-identification is the process of the removal of specified identifiers of the patient, and of the patient’s relatives, household members, and employers.  

The requirements of the HIPAA safe harbor de-identification process become fully satisfied if, and only if, after the removal of the specific identifiers, the covered entity has no actual knowledge that the remaining information could be used to identify the patient. 

Once protected health information has been de-identified, it is no longer considered to be PHI; as such, there are no longer restrictions on its use or disclosure. By definition, de-identified health information neither identifies nor provides a reasonable basis to identify a patient.

What Specific Information Must be De-Identified under the HIPAA Safe Harbor provision?


Specific pieces of data (data elements) can, individually or in combination, be used to uniquely identify an individual. The following data elements can be used to uniquely identify, and, as such, must be de-identified under the safe harbor rule:

  • Names
  • Geographic locators
    • In the case of zip codes, covered entities are generally permitted to use the first three digits, provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals.
  • All elements of dates (except the year) that are related to an individual.
    • This information includes including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age.
  • Telephone, cellphone, and fax numbers
  • Email addresses
  • IP addresses
    • IP addresses can be used to identify physical addresses
  • Social Security Numbers
  • Medical record numbers
  • Health plan beneficiary numbers (i.e. the member ID on a patient’s health insurance card)
  • Device identifiers and serial numbers (medical devices are assigned unique serial numbers)
  • Certificate/license numbers (e.g., driver license numbers and birth certificate numbers)
  • Account numbers (e.g., bank account numbers)
  • Vehicle identifiers and serial numbers, including license plates
  • Website URLs
    • If a URL is logged within a specific application, the URL can be used to uniquely identify an individual 
  • Full face photos and comparable images
  • Biometric identifiers (including fingerprints, voice prints, and retinal images)
  • Any unique identifying numbers, characteristics or codes

Once these specific identifiers have been removed, the covered entity must have no actual knowledge that the remaining information could be used to identify the patient. If this “no actual knowledge” requirement has been satisfied, the PHI has been successfully de-identified under the safe harbor method. 

Why is HIPAA Safe Harbor De-Identification Performed?

There are a number of reasons why an entity might want to de-identify certain PHI. Once data elements have been de-identified, the elements are no longer considered PHI, and can therefore be used for uses that are becoming increasingly popular. These uses include certain types of research, as well as comparative studies. Once data has been de-identified, the data is no longer considered PHI, and can therefore be used in many other situations. For example, certain types of research or comparative studies could benefit from medical information. In addition, de-identified information can be shared, allowing for entities to collaborate in research efforts. 

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!