18 Patient Identifiers HIPAA Defines as Off Limits

275 Flares Twitter 63 Facebook 69 Google+ 9 StumbleUpon 55 Pin It Share 61 LinkedIn 18 Reddit 0 Buffer 0 275 Flares ×

lego doctor nurse

Hospitals and healthcare providers every start shaking in their boots when they think of social media and healthcare. They freak out about the possibly of a HIPAA violation. But the fear that is struck in many of their hearts is really unneeded. There are 18 patient identifiers that are off limits when it comes to blogging and things of the like.

Omit These 18 Identifiers When Blogging About Patient Care

1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

The dates and ages piece proved to be very informative. If you’re patient is over the age of 89, you need to refrain from referencing that. I guess that’s because people in their 90s are a small and more easily identified population. Also worth noting that it would be wise to omit specific dates in your writing in most cases, admission and discharge dates in particular.

image But really, if you needed a list to tell you to not be discussing social security and medical record numbers, we really need to have some discussions about whether we should allow you on the internet in the first place. You might poke your out out with the mouse or something. We can’t have you injuring yourself with high tech equipment, and if you’re giving out social security numbers, there is a high likelihood you shouldn’t have access to any heavy equipment. And that there optical mouse can be mighty heavy at times.

Can I Blog About My Patients?

You can absolutely blog about specific patient encounters, but you have a duty to be respectful of the patients privacy. They allowed you to participate in their care and they deserve the utmost respect from that. However, if telling a story can be educational and informative, you can write about your individual experiences in providing patient care. You can actually include quite a bit of detail in your nursing or healthcare narratives about patient encounters and experiences. The key is to make sure that the details are never specific enough to tie back to any individual patient. It is also a good idea to change certain details of the story completely so that a patient is absolutely unidentifiable. You can have fun with this and make for a much more entertaining read. You aren’t writing research articles. In blogging the details are not as important as telling the story anyways.

What is and isn’t PHI?

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

Also note, health information by itself without the 18 identifiers is not considered to be PHI. For example, a dataset of vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints. These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials.

So get your blog on. Share your stories of nursing and healthcare and include specific events and examples. Just be sure you respect the rights and privacy of your patients in the process.

Don’t fear HIPAA, just be aware and be respectful.

The  list of identifiers and PHI details are courtesy of:

275 Flares Twitter 63 Facebook 69 Google+ 9 StumbleUpon 55 Pin It Share 61 LinkedIn 18 Reddit 0 Buffer 0 275 Flares ×


  1. [...] == "undefined"){ addthis_share = [];}Share|The Nerdy Nurse wrote a great post called 18 patient identifiers hippa defines as off limits. Head over to her site and read what those 18 identifiers are and see if you are using any of them. [...]