Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. FAQ
  5. 2071 - Can the device identifier (DI) portion of a Unique Device Identifier (UDI) be part of a limited or de-identified data set as defined under HIPAA?
  • Authorizations (30)
  • Business Associates (41)
  • Compliance Dates (2)
  • Covered Entities (14)
  • Decedents (9)
  • Disclosures for Law Enforcement Purposes (5)
  • Disclosures for Rule Enforcement (1)
  • Disclosures in Emergency Situations (2)
  • Disclosures Required by Law (6)
  • Disclosures to Family and Friends (28)
  • Disposal of Protected Health Information (6)
  • Facility Directories (7)
  • Family Medical History Information (3)
  • FERPA and HIPAA (10)
  • Group Health Plans (3)
  • Incidental Uses and Disclosures (10)
  • Judicial and Administrative Proceedings (8)
  • Minimum Necessary (14)
  • Notice of Privacy Practice (20)
  • Preemption of State Law (10)
  • Privacy Rule: General Topics (12)
  • Protected Health Information (2)
  • Public Health Uses and Disclosures (13)
  • Research Uses and Disclosures (20)
  • Right to an Accounting of Disclosures (8)
  • Right to File a Complaint (1)
  • Right to Request a Restriction (4)
  • Safeguards (13)
  • Security Rule (24)
  • Smaller Providers and Businesses (145)
  • Student Immunizations (8)
  • Transition Provisions (3)
  • Treatment, Payment, and Health Care Operations Disclosures (30)
  • Workers Compensation Disclosures (5)
  • Limited Data Set (6)
  • Marketing (17)
  • Marketing - Refill Reminders (16)
  • Personal Representatives and Minors (12)
  • Right to Access and Research (58)
  • Mental Health (35)
  • Health Information Technology (41)
  • Telehealth (11)

Can the device identifier (DI) portion of a Unique Device Identifier (UDI) be part of a limited or de-identified data set as defined under HIPAA?

Yes. A UDI is a unique numeric or alphanumeric code assigned to a device through FDA’s Unique Device Identification System, which is intended to adequately identify medical devices through their distribution and use.  A UDI consists of two parts: (1) a device identifier (DI), which is the mandatory, fixed portion of a UDI that corresponds to the model or version of a device; and (2) a production identifier (PI), which is the variable portion of a UDI that identifies one or more of the following when included on the label of a device: lot/batch number, serial number, expiration date, manufacturing date, and donor identification number.

While the HIPAA Privacy Rule prohibits the inclusion of “device identifiers and serial numbers” in both limited data sets, as defined under 45 CFR § 164.514(e)(2), and data sets that are de-identified in accordance with the “de-identification safe harbor” provisions at 45 CFR § 164.514(b)(2), the DI portion of the UDI is not the type of “device identifier” to which these HIPAA Privacy Rule provisions refer.  Rather, “device identifier” for purposes of the HIPAA standards for limited and de-identified data sets refers to serial and other numbers assigned to a specific device and thus, that may be uniquely identifying for a particular individual.  In contrast, as described above, the DI portion of the UDI is the model or version number of a device, which is not unique to a specific device and thus, is not uniquely identifying to a particular individual.  Therefore, the DI portion of a device’s assigned UDI may be used or disclosed as part of a limited data set, subject to the required data use agreement, or de-identified data set, under the HIPAA Privacy Rule.

However, the PI portion of a UDI, which includes a serial number or other numbers that correspond to a specific device, would be a “device identifier” referred to in the HIPAA Privacy Rule provisions and, therefore, may not be included in a limited data set or data set that is de-identified in accordance with the “de-identification safe harbor” provisions at 45 CFR § 164.514(b)(2).  Further, other types of device identifiers, including those that correspond to custom devices as defined within 21 CFR § 812.3(b) (devices that are limited to no more than 5 units per year of a particular device type and that are exempt from FDA regulations to bear a UDI), may not be included in a limited data set or data set that is de-identified in accordance with the de-identification safe harbor provisions of the HIPAA Privacy Rule.  The PI portion of a UDI or such other device identifiers may only be included as part of a de-identified data set to the extent an expert has determined, in accordance with 45 CFR 164.514(b)(1), that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify individuals.

Content created by Office for Civil Rights (OCR)
Content last reviewed July 26, 2016
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy