Specific pieces of data (data elements) can, individually or in combination, be used to uniquely identify an individual. The following data elements can be used to uniquely identify, and, as such, must be de-identified under the safe harbor rule: 

1. Names 

2. Geographic locators 

3. In the case of zip codes, providers are generally permitted to use the first three digits, provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals 

4. All elements of dates (except the year) that are related to an individual 

5. This information includes including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age 

6. Telephone, cellphone, and fax numbers 

7. Email addresses 

8. IP addresses 

9. IP addresses can be used to identify physical addresses 

10. Social Security Numbers 

11. Medical record numbers 

12. Health plan beneficiary numbers (e.g., the member ID on a patient’s health insurance card) 

13. Device identifiers and serial numbers (medical devices are assigned unique serial numbers) 

14. Certificate/license numbers (e.g., driver license numbers and birth certificate numbers) 

15. Account numbers (e.g., bank account numbers) 

16. Vehicle identifiers and serial numbers, including license plates 

17. Website URLs; If a URL is logged within a specific application, the URL can be used to uniquely identify an individual  

18. Full face photos and comparable images 

19. Biometric identifiers (including fingerprints, voiceprints, and retinal images) 

20. Any unique identifying numbers, characteristics, or codes 

Once these specific identifiers have been removed, the provider must have no actual knowledge that the remaining information could be used to identify the patient. If this “no actual knowledge” requirement has been satisfied, the PHI has been successfully de-identified under the safe harbor method.