A date of birth is protected health information when it identifies an individual or can reasonably be used to identify an individual and it is linked to health information created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate, and it is not protected health information when it is not associated with health information or is held outside a regulated healthcare context.
Under the HIPAA Privacy Rule, protected health information is individually identifiable health information, which includes common identifiers associated with medical, treatment, or payment information. A date of birth is frequently used as a patient identifier and can permit identification when combined with other data such as name, address, telephone number, email address, or appointment details. In many operational settings, a date of birth is treated as an identifier even when a name is not displayed, because staff and systems can match it to a specific patient record.
A date of birth can be protected health information even when presented alone in a healthcare setting if recipients can link it to a person and infer a care relationship. Examples include a clinic schedule showing dates of birth next to visit times, an email that confirms a referral and includes a date of birth, or a billing communication that uses date of birth to verify identity. When a date of birth appears in a record set maintained for treatment, payment, or healthcare operations, it becomes part of protected health information when associated with the individual’s care or payment information.
A date of birth can also be used in de-identification analysis. De-identification methods under the HIPAA Privacy Rule address date elements, and organizations should apply approved de-identification approaches when data will be used or disclosed outside permitted operational needs. Age-related information can remain identifiable in small populations or specialized programs when combined with other context.
Organizations should apply the HIPAA Minimum Necessary Rule where it applies and avoid including dates of birth in subject lines, headers, or communications that do not require it for the stated purpose. When dates of birth are used for identity verification, workforce procedures should limit disclosure to the minimum required and use secure channels that align with HIPAA Security Rule safeguards when electronic protected health information is transmitted or stored.