Entities regulated by HIPAA (Health Insurance Portability and Accountability Act) and recent updates in HITECH (Health Information Technology for Economic and Clinical Health Act) are subject to extensive data security requirements, and some states impose further security requirements. Regulations apply to “covered entities” such as doctors, hospitals, insurers, pharmacies and other health-care providers, as well as their “business associates” which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity. “Protected health information” under HIPAA generally includes any personally identifiable information collected by or on behalf of the covered entity during the course of providing its services to individuals.


Under the HIPAA Privacy Rule, an organization can successfully anonymize the identity of a record by removing the following data fields:

  • Names
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct,

ZIP code, and their equivalent geocodes.

  • All elements of dates (except year) that are directly related to an individual, including birth date, admission date, discharge date, or date of death.
  • Telephone numbers, fax numbers, email addresses
  • Social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URLs or IP addresses tied to a specific person
  • Biometric identifiers, including finger and voice prints; full face photographic images and any comparable images.
  • Any other unique identifying number, characteristic, or code


HIPAA requires public notification for breaches. However, the loss of adequately encrypted data is not generally considered a breach, and exempt from notification requirements.