Why De-Identification Matters
Under the HIPAA Privacy Rule, Protected Health Information (PHI) β health data that can identify an individual β is tightly controlled. But de-identified data is not covered by HIPAA at all. Once information can no longer reasonably identify a person, it can be shared with researchers, used to train machine-learning models, published in aggregate, or handed to a vendor without triggering the Privacy Rule. That makes de-identification one of the highest-leverage tasks in healthcare data work: do it correctly and a locked-down dataset becomes broadly usable; do it wrong and you have a reportable breach.
This guide explains the Safe Harbor method β the most widely used de-identification approach β category by category, then covers why unstructured text is the hard part and how to detect PHI without ever exposing it. If you want to try the concepts as you read, our free HIPAA PHI Identifier scans text for all 18 categories entirely in your browser.
The Two HIPAA De-Identification Methods
HIPAA recognizes exactly two ways to de-identify data (45 CFR 164.514(b)):
- Expert Determination. A person with appropriate statistical knowledge determines that the risk of re-identification is "very small" and documents the analysis. This is flexible but requires specialized expertise.
- Safe Harbor. Remove 18 specified categories of identifiers, and β provided you have no actual knowledge that the remaining information could identify an individual β the data is considered de-identified. This is a concrete checklist, which is why most teams start here.
The catch with Safe Harbor is that it is all-or-nothing: leaving even one category in place means the data is not de-identified. So knowing all 18, precisely, matters.
The 18 Safe Harbor Identifiers, Explained
Each identifier must be removed for the individual and for their relatives, employers, and household members.
1. Names
Full names, partial names, initials used as identifiers, nicknames, and maiden names. In free text these appear everywhere β in salutations, signatures, and narrative ("Mr. Johnson reportsβ¦").
2. Geographic subdivisions smaller than a state
Street address, city, county, precinct, and ZIP code. The one nuance: the initial three digits of a ZIP code may be retained if the geographic unit they form contains more than 20,000 people (otherwise they must be changed to 000). Everything more granular must go.
3. Dates (and ages over 89)
All date elements more specific than a year that relate to an individual β birth date, admission date, discharge date, date of death, and any appointment or procedure date. Year alone is generally acceptable. Separately, all ages over 89 (and any element, including a year, that would reveal such an age) must be aggregated into a single "90 or older" category, because extreme ages are rare enough to aid re-identification.
4 & 5. Telephone and fax numbers
Any phone or fax number. In text these follow recognizable patterns, though distinguishing a fax from a phone number usually depends on a nearby label.
6. Email addresses
Any email address. These are among the most reliably detectable identifiers because of their fixed structure.
7. Social Security numbers
The classic identifier. The three-two-four digit pattern is easy to match, but SSNs also appear without dashes and behind labels like "SSN:".
8, 9 & 10. Medical record, health plan, and account numbers
Medical record numbers (MRNs), health plan beneficiary numbers, and account numbers. These are typically alphanumeric with no fixed format, so they are usually detected by the words around them ("MRN:", "Account #").
11. Certificate and license numbers
Professional licenses, certificate numbers, and similar credentials tied to an individual.
12. Vehicle identifiers
Vehicle Identification Numbers (VINs) and license plate numbers. A VIN has a distinctive 17-character format that excludes the letters I, O, and Q, which makes it pattern-matchable.
13. Device identifiers and serial numbers
Identifiers and serial numbers of medical devices β pacemakers, implants, monitors β associated with the individual, including Unique Device Identifiers (UDIs).
14 & 15. URLs and IP addresses
Web URLs and IP addresses. Both have clear structure and are reliably detectable; an IP address in a log can tie an event back to a person or location.
16 & 17. Biometric identifiers and full-face photographs
Fingerprints, voiceprints, retinal scans, and other biometrics, plus full-face photographs and comparable images. These are not detectable in plain text β they live in binary files β but they must still be removed from any dataset that includes them.
18. Any other unique identifying number, characteristic, or code
The catch-all. This covers internal case numbers, clinical trial IDs, UUIDs, and any other unique code or distinctive characteristic that could single someone out. It is deliberately broad, and it is the category most often missed because it has no fixed shape.
Why Unstructured Text Is the Hard Part
De-identifying a database column is straightforward: you know the "SSN" column holds SSNs, so you drop it. The real challenge is unstructured text β clinical notes, discharge summaries, secure messages, support tickets, and application logs β where identifiers are woven into natural language. A single note might name a patient, mention their street, cite a phone number, and quote an MRN, all in one paragraph. There is no column to drop; every identifier has to be found in place. Doing that by hand across thousands of documents is slow and error-prone, and Safe Harbor is unforgiving of misses.

How Automated PHI Detection Works
Good detectors combine three techniques, because no single one covers all 18 categories:
- Pattern matching handles structured identifiers with predictable formats β emails, SSNs, phone and fax numbers, dates, IP addresses, VINs, and UUIDs. These are high-confidence detections.
- Context rules handle identifiers with no fixed format by reading the surrounding words: an alphanumeric string becomes an MRN when it follows "MRN:", an account number when it follows "Account #".
- Heuristics and dictionaries handle the fuzziest categories, names and geography, using capitalization, honorific titles ("Dr.", "Mr."), and lists of common names and cities. These are inherently lower-confidence and produce both false positives and misses.
Because the fuzzy categories are imperfect, a well-designed tool assigns a confidence level to each finding and lets you tune sensitivity, rather than presenting every guess as fact. Our PHI Identifier does exactly this: high-confidence structured matches are always shown, while low-confidence name and geography guesses can be filtered out when you need precision.
The Privacy Paradox β and Why Browser-Based Tools Solve It
There is a built-in contradiction in scanning sensitive data for sensitive data: to check whether text contains PHI, something must read that text. Many online PHI scanners upload your data to a server to analyze it β which means the very act of checking for a disclosure is a disclosure, and typically requires a Business Associate Agreement. Browser-based tools eliminate the paradox: the detection code runs on your own machine and makes zero network calls, so your notes and logs never leave your control. You can verify this by opening your browser's developer tools and watching the network panel stay empty during a scan. For anyone handling real PHI, this local-only design is the difference between a tool you can legitimately use and one you cannot.
Using Detection Responsibly
An automated scan is a strong first pass, not a certification. Safe Harbor also requires that you have no actual knowledge the residual data could identify someone, and the "other unique identifier" category often needs human judgment β a rare diagnosis, a distinctive quote, or an internal code can re-identify a patient even after every obvious identifier is gone. The right workflow is: run automated detection to remove the bulk quickly and consistently, redact the findings, then review what remains, especially free-text and unusual identifiers, before treating the data as de-identified. For high-stakes releases, pair automated tooling with expert review or Expert Determination.
A Practical Checklist Before You Share Data
Before treating any text-based dataset as de-identified under Safe Harbor, walk through this short checklist:
- Run a full 18-category scan rather than checking only for the obvious identifiers like SSNs and emails.
- Review the low-confidence findings β names and geography especially β because these are where an automated pass is weakest and a real identifier is most likely to hide.
- Check dates and ages specifically: confirm that no date more specific than a year survives and that every age of 90 or above has been generalized.
- Hunt for the catch-all. Scan for internal case numbers, trial IDs, and any code that is unique to one person, since category 18 has no fixed format and is the easiest to miss.
- Redact, then re-read. Produce a redacted copy, read it as if you were an outsider trying to identify the patient, and ask whether anything remaining β a rare condition, an unusual quote, a distinctive combination of facts β could still single someone out.
- Document your process. Keep a record of what you scanned, what you removed, and who reviewed it, so your de-identification is defensible.
None of these steps require sending your data anywhere. A browser-based detector lets you run the scan, filter by confidence, redact, and export a report entirely on your own machine, which keeps the whole workflow inside your control.
Conclusion
The 18 Safe Harbor identifiers are a precise, all-or-nothing checklist, and the hardest place to apply them is unstructured text. Automated detection β pattern matching for structured identifiers, context rules for coded numbers, and heuristics for names and places β does most of the work quickly, and a browser-based tool does it without ever exposing your data. Learn the 18 categories, use a tunable detector to find and redact them, and review the result before you share. Try it now with the free, private HIPAA PHI Identifier.
References and Further Reading
- HHS β Guidance Regarding Methods for De-identification of PHI (HIPAA Privacy Rule) β the official source for the two de-identification methods and the 18 Safe Harbor identifier categories described above.
- eCFR β 45 CFR 164.514 "Other requirements relating to uses and disclosures of protected health information" β the regulatory text for Expert Determination (164.514(b)(1)) and Safe Harbor (164.514(b)(2)), including the enumerated identifier list and the "very small" re-identification-risk standard.
- HHS β Summary of the HIPAA Privacy Rule β background on what PHI is and the scope of the Privacy Rule referenced throughout this guide.