Under the HIPAA Privacy Rule, data are deidentified if either (1) an experienced expert determines that the risk that certain information could be used to identify an individual is "very small" and documents and justifies the determination, or (2) the data do not include any of the following eighteen identifiers (of the individual or his/her relatives, household members, or employers) which could be used alone or in combination with other information to identify the subject: names, geographic subdivisions smaller than a state (including zip code), all elements of dates except year (unless the subject is greater than 89 years old), telephone numbers, FAX numbers, email address, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers including license plates, device identifiers and serial numbers, URLs, internet protocol addresses, biometric identifiers, full face photos and comparable images, and any unique identifying number, characteristic or code; note that even if these identifiers are removed, the Privacy Rule states that information will be considered identifiable if the covered entity knows that the identity of the person may still be determined.