Dog in DisguiseWe all learned about deidentifying clients in our grad school Ethics classes. It’s generally acceptable to discuss a client’s case with a colleague when we deidentify the client. HIPAA sees it the same way: deidentified information is not Protected Health Information, and is therefore not covered by HIPAA.

Fortunately, the HIPAA Privacy Rule has a safe harbor method for deidentifying information. Because it’s a safe harbor, you can consider any information about a client to be deidentified if you are able to remove all 18 of the identifiers on the list below. Take a look at it.

The Safe Harbor Method of Deidentification’s Identifiers List. Lifted Directly From the HIPAA Privacy Rule (45 CFR §164.514)

Except for my notes in italics, the following text is lifted directly from HIPAA’s Privacy Rule.

  1.  Names

A client’s initials are considered to be identifying for the purposes of determining if a given piece of information is PHI under HIPAA, because they are derived from names. Even though most people couldn’t identify a client from just their initials, some people can. The same can be said of using only a client’s first names or last names. This doesn’t mean that using client initials instead of their full names isn’t helpful. It just isn’t deidentifying.

  1. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
    • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
    • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

This is a tight restriction. Note that the street a client lives on is seen as identifying. Be thoughtful about where you keep any of the information about client addresses.

  1.  All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

Any kind of date you keep regarding a client is personally identifying. The exception is the year portion of a date, except when you’re talking about the birth dates of people 90 years or older.

  1. Telephone numbers

Remember that any text message you exchange with a client contains their phone number

  1. Fax numbers
  2. Electronic mail addresses (email addresses)

Remember that any email you exchange with a client contains their email address

Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.

  1. Social security numbers
  2. Medical record numbers
  3. Health plan beneficiary numbers
  4. Account numbers
  5. Certificate/license numbers
  6. Vehicle identifiers and serial numbers, including license plate numbers
  7. Device identifiers and serial numbers
  8. Web Universal Resource Locators (URLs) [web addresses]
  9. Internet Protocol (IP) address numbers
  10. Biometric identifiers, including finger and voice prints
  11. Full face photographic images and any comparable images

Do you do play therapy? Do you ever have photos of children with their creations or photos the children take themselves that may include purposeful or inadvertent “selfies”?

  1.  Any other unique identifying number, characteristic, or code, except as permitted by HIPAA


You can see that the list is extensive. For nearly all clinical practitioners, deidentifying client information is not a feasible way of keeping it secure in our practices. Even if we leave all identifiers out of emails and texts, for example, the email address or phone number attached to the message is seen as identifying the client who sent or received it.

This method of deidentification is primarily intended for people who wish to use health information in research or for marketing purposes, and who don’t need to know anything identifying about the people who received the health care.

It does have one very useful purpose for clinicians, however: it tells us what HIPAA considers to be identifying. So when we’re trying to get an idea of where we keep PHI in our practices, or how much PHI a third-party service may be handling on our behalf, this list can be a useful guide for determining what information we need to regard as identifying.

Learn more about identifying HIPAA-protected health information:

1 CE Credit Hours


9 CE Credit Hours



Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss