HIPAA Rules

Software for HIPAA

Other Resources

Last updated


HIPAA Privacy Rule

The HIPAA Privacy Rule is located at 45 CFR Part 160 and Part 164. The Privacy Rule establishes national standards to protect individuals medical records and other personal health information. The Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct health care transactions electronically.

The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

The Privacy Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

18 HIPAA Identifiers

The HIPAA Privacy Rule sets forth policies to protect 18 identifiers that are considered Personally Identifiable Information (PII). These are data points that can be used to identify, contact, or locate an individual. When one of these identifiers is used in conjunction with a person's healthcare information, or a payment method for used for that healthcare, it becomes Protected Health Information (PHI). The HIPAA Privacy Rule protects PII of deceased persons for 50 years following the date of death. If any communication contains PII, the data is to be considered "identified". To be considered "de-identified", ALL of the 18 HIPAA Identifiers must be removed from the data set.

These are the 18 identifiers designated under HIPAA:

  1. Name
  2. Geographical element - street address, city, county, or zip code (smaller than state)
  3. Dates - birthdate, admission date, discharge date, date of death, and exact age if over 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security Number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate or license number
  12. Vehicle license plate and other identifiers
  13. Device serial number
  14. Any
  15. Website URL
  16. Internet Protocol (IP) Address
  17. Finger or voiceprint
  18. Photographic image (any body part)
  19. Any other characteristic that could uniquely identify the individual (like a tattoo)


HIPAA Privacy Forms

Notice of Privacy Practices (NPP) Form

Request for Access to Protected Health Information (PHI) Form

Request for Restriction of Patient Health Care Information Form

Request for Accounting Disclosures Form

Authorization for Use or Disclosure Form

Privacy Complaint Form