18 Patient Identifiers HIPAA Defines as Off Limits

Hospitals and healthcare providers every start shaking in their boots when they think of social media and healthcare. They freak out about the possibility of a HIPAA violation. But the fear that is struck in many of their hearts is really unneeded. There are 18 patient identifiers that are off limits when it comes to blogging and things of the like.

Omit These 18 Identifiers When Blogging About Patient Care

1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)


The dates and ages piece proved to be very informative. If you’re patient is over the age of 89, you need to refrain from referencing that. I guess that’s because people in their 90s are a small and more easily identified population. Also worth noting that it would be wise to omit specific dates in your writing in most cases, admission and discharge dates in particular.

image But really, if you needed a list to tell you to not be discussing social security and medical record numbers, we really need to have some discussions about whether we should allow you on the internet in the first place. You might poke your eye out with the mouse or something. We can’t have you injuring yourself with high-tech equipment, and if you’re giving out social security numbers, there is a high likelihood you shouldn’t have access to any heavy equipment. And that there optical mouse can be mighty heavy at times. (Forgive my southern phrasing. I promise, if you hear it in person, it’s so much better. Just imagine Foghorn Leghorn is saying it.)

Can I Blog About My Patients?

You can absolutely blog about specific patient encounters, but you have a duty to be respectful of the patient’s privacy. They allowed you to participate in their care and they deserve the utmost respect from that. However, if telling a story can be educational and informative, you can write about your individual experiences in providing patient care. You can actually include quite a bit of detail in your nursing or healthcare narratives about patient encounters and experiences. The key is to make sure that the details are never specific enough to tie back to any individual patient. It is also a good idea to change certain details of the story completely so that a patient is absolutely unidentifiable. You can have fun with this and make for a much more entertaining read. You aren’t writing research articles. In blogging the details are not as important as telling the story anyways.

What is and isn’t PHI?

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

Also note, health information by itself without the 18 identifiers is not considered to be PHI. For example, a dataset of vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints. These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials.

So get your blog on. Share your stories of nursing and healthcare and include specific events and examples. Just be sure you respect the rights and privacy of your patients in the process.

Don’t fear HIPAA, just be aware and be respectful.

The  list of identifiers and PHI details are courtesy of:

17 thoughts on “18 Patient Identifiers HIPAA Defines as Off Limits”

  1. I posted in a forum about a case I had recently saying “45 year old male with history of substance abuse” being treated with dialysis. The forum posts what City I’m from, but the particular patient I was visiting happened to be in a clinic in a different city nearby (I did not specify this in the case). I received a personal message from another community member stating this post violates HIPPA, but I do not see how this violates HIPPA. What are your thoughts?

    1. This is one that is a tricky situation. While the city the patient was in was not named, knowing where you are from could be seen as identifying. Preface references like this with the fact that you were traveling and once encountered a patient who… This would clear up anything that could be seen as a violation.

  2. AUDREY BEARDSLEY

    I am a behavior Technician for kids with Autism. My coworkers and I are in a private group message together. Whenever one of us finds a unique toy that one of our clients might like, or has a cute story to tell about an interaction one of the clients had, we use initials to avoid mentioning any names. Is this legal, since we all work with the same children and we aren’t posting anything publicly– just to each other? For example, “I saw a cute toy that your morning kiddo might really like. Do you want me to bring it tomorrow?” “Which morning kiddo, XX or YY? XX could use a new toy!” Thank you.

  3. Situation: If a patient is present at clinic counter and asks “What phone number do you have on file for me?” Can you repeat back the phone number listed?

  4. Greg Mercer, MSN

    Thanks, NN! This stuff is so bafflingly complex, the help is appreciated. Isn’t it sad that we need to knock ourselves out worrying over teeny lapses, when the law allows the main abusers of patient data free access: health insurance firms and employers?

  5. MAY 30, 2012

    I find it very annoying that my State Board of Professional Regulation, in Illinois, SELLS MY PERSONAL INFORMATION for commercial purposes! In other words, THEY MAKE MONEY selling lists of professional licensees’ information.

    When i protested to the Board, they said, “We don’t give them all your information” — no, it’s just name, town, and street, but not the house number. As soon as i moved to IL and obtained my license here, i started getting nurse junk mail. They also said, “That’s all public information, available by law.” Maybe so, but they don’t have to be complicit by SELLING the lists. Let the spammers work for it.

    i complained to my local Representative, and she said she was appalled by this, but … nothing ever changed.

    We in the healthcare industry are careful to protect our patients; why are we as nurses not protected also?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top