This page lists the identifiers specifically appearing in the HIPAA privacy regulations representing a "safe harbor" method for de-identifying data. As long as none of these identifiers is present, HIPAA defines the information as having been rendered non-identifiable.
Using "safe harbor" De-identification requires removal of all such identifiers as specifically defined in the regulations. It is not equivalent to the more general concept associated with the term 'anonymous'. Note that tissue samples themselves are not considered identifiers (unless labeled in some manner with one of the identifiers below).
The following identifiers of the individual or of relatives, employers, or household members of the individual (* Indicates permitted in a limited dataset §164.514(e)(2)):
Last revised March 26, 2014
HIPAA also provides another method for establishing that a set of data is de-identifed. This method requires:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable: (i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination.
The entity releasing information to a research would be responsible for determining that these requirements had been satisfactorily met before it released the data.
HHS offers additional guidance and a FAQ regarding de-identification available here:
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.