UW logo
Human Subjects Division (HSD)


De-Identified Information

As defined by HIPAA, health information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual.  Information is considered de-identified if 18 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject of the information.  The identifiers include the following:

  1. Names
  2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses (email)
  7. Social Security numbers
  8. Medical records numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locator (URL)
  15. Biometric identifiers, including finger or voice prints
  16. Full face photographic images and any comparable images
  17. Internet Protocol (IP) address numbers
  18. Any other unique identifying number, characteristic or code

Change Notes

  • Noted 09/23/2010 @ 09:01am
    Keyword newly added.
    - sherrye

Related Questions And Answers

  • What is needed to request a "Waiver of HIPAA Authorization?"

    The UW IRB Committees use specific criteria in reviewing requests for a waiver of HIPAA authorization for research. In completing the Human Subjects Review Application (UW 13-11), researchers should explain how:

    • The use or disclosure of protected health information involves no more than minimal risk to the privacy, safety, and welfare of the individual;
    • The research could not practicably be conducted without the waiver or alteration;
    • The research could not practicably be conducted without access to the protected health information;
    • There is an adequate plan to protect the identifiers from improper use or disclosure;
    • There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    • There are adequate written assurances that the protected health information will not be re-used or disclosed to a third party except as required by law, for authorized oversight of the research, or as permitted by an authorization signed by the research subject

    In requesting this waiver, researchers should also provide the following information:

    • Detailed information about the types of protected health information that will be used, including how it will be used, who will have access to it, and when it will be destroyed;
    • What risks are posed by the use of the data, and how they have been minimized
    • The justification for access to the data and why they are necessary to conduct the research.