All-in-one Risk Management Platform

The 18 PHI Identifiers

HIPAA has laid out a precise list of 18 different forms of protected health information, let's walk through each of those in depth below.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

The 18 PHI Identifiers

The idea of patient privacy goes all the way back to the inception of modern medicine as laid out by Hippocrates in the Hippocratic Oath over two thousand years ago. Fast-forward to today, we may face different challenges, but HIPAA in many ways serves as a modern-day example of what the Hippocratic Oath serves to do those many years ago. While the language has changed the sentiment remains the same: protecting the rights of the individual within healthcare. 

One of the key components, if not the key component of HIPAA is Protected Health Information (PHI). PHI as outlined by HIPAA is any individually identifiable health information. HIPAA lays a legal framework to ensure that this PHI is handled in a way that upholds the rights of the patient as well as outlines the patient's rights and gives a clear list of what exactly qualifies as PHI. 

As referenced in one of our prior posts Why PHI is Valuable to Hackers, modern-day hackers can sell your PHI for hundreds of dollars to people who can then use this information to commit other crimes like identity theft which can take years to uncover and causes a major headache to all parties involved. As a step towards ensuring the safety of this information, HIPAA has laid out a precise list of 18 different forms of protected health information. Below we will outline each different type and give examples of each so that you can have a better understanding of what exactly qualifies as PHI and what you can expect your healthcare provider to be doing with this information. 

1. Name

This is a good time to point out that some PHI is not considered PHI in every context that it is used. Your name is only considered PHI when recorded by a healthcare provider or used within the context of healthcare. The barista calling out your name as you wait for your iced caramel macchiato in a hospital cafe may not be worthy of an HHS investigation, but if your physician disclosed your name to someone outside the scope of their role, this could be an entirely different story.

2. Address 

Again, pretty straightforward, however, this form of protected PHI is anything more specific than the state that you live in, such as your hometown or the street you live on, not just the full address. From a business perspective, this is an important note as it is common to use specific information to identify a client within your own database. “No, not that, Jeff. You know, Jeff from Spokane?” It’s one thing for a nurse to use some of these identifiers within the scope of her study. It’s another for your crazy ex to call the hospital and figure out where you moved after college. 

3. Dates 

This might seem like a bit of a broad category, but this includes any dates excluding a year that could identify an individual. This includes birth dates, death dates, discharge dates, treatment days--really any day that can be traced back to an individual for a specific event or procedure occurring. While this might not seem like the end of the world, it only takes someone a few key pieces of information to get through certain authentication processes online, so the more information that is safeguarded the better.

4. Telephone

While there is not a whole lot that can be done in terms of identity theft with a phone number, it can be a huge hassle if your number falls into the wrong hands. It seems the majority of phone calls today are coming from robo-dialers and scammers asking about your car’s warranty. While many of these phone calls are made with auto dialing technology and are completely random, companies that still utilize cold calling and telemarketing pay services for access to your personal information.

5. Fax Number

While this may have been more applicable in 1996, an individual's fax number is still considered PHI. For any millennials reading this, people used to be able to communicate with each other via their printers. Fax numbers are still used to transfer information on paper from one location to another. Smaller hospitals and entities especially still rely on fax machines to transfer PHI though many have since moved on to full electronic information. 

6. Email address

Similar to phone calls, email today has been overrun by spam and junk mail. While your email might not be a way a hacker could necessarily steal your identity, it can be a major nuisance if your email makes its way around to a couple of unwanted targeted email campaigns. While the email address itself may not be sufficient enough for stealing your identity entirely, hackers can use your email address for malware that can collect other important information from your device.

7. Social Security number 

Someone with malicious intent is able to use your social security number for a variety of purposes, including opening new lines of credit in your name which can negatively impact your credit score and create a massive headache when applying for loans and making other important financial decisions. 

8. Medical record number

Medical record numbers give access to specific charts and medical data that could be anything from your blood pressure reading at a routine check-up to acute diagnoses. Rights to this information are protected under HIPAA and allow you as the patient to give knowledge of this information at your own discretion. Whether it means keeping this information out of the hands of nosey family members or hackers alike, it is important that this information is managed properly by your healthcare provider and other individuals with access to your medical records.

9.Health plan beneficiary number

Your health plan beneficiary number is the number that your health insurance or other similar services that provide access to healthcare use to assign you within their system. This number is often required as proof of coverage and can be sold to individuals online for someone who cannot afford or is unable to obtain healthcare coverage by normal means.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

10. Account numbers 

Getting access to any sort of account number allows someone with malicious intent to add this to their arsenal against you. Whether they are looking to steal your identity or sell your information to someone else, having your account number under lock and key prevents scammers from using this in tandem with other PHI to gain access to your medical records and other sensitive information.

11. Certificate/license number

Certificate or license numbers can be used as a backup in authentication procedures. This could be anything from your driver's license number to your CPR certification. This is another example of a piece of information that you would not want anyone to have easy access to. While having your certificate or license number might not be immediately detrimental, it can be used in combination with other personal information to steal your identity.

12. Vehicle identifiers, serial numbers, license plate numbers

Keeping vehicle identification related information private is important as it is a gateway to a variety of other forms of personal information such as home address or even previous addresses. While maybe knowing your license plate number isn’t the end of the world, this in tandem with other personal identification information can be used to forge documentation and even identity fraud.

13. Device identifiers/serial numbers

This information relates to medical devices or equipment that may be used during procedures or treatment. Limiting access to this information protects the client from unwanted access to information pertaining to implants you have, devices used during your procedures, and other medical devices that could be used to be tied directly back to you.

14. Web URLs

Web URLs or Uniform Resource Locators can be used to track electronic transactions and other online history related to your data stored in online formats. These URLs can be used in a variety of different ways. You can think of it as restricting access to URLs that cuts off scammers and hackers at the source by eliminating the ability to gain access to a plethora of ePHI.

15. IP address

Your IP address is a unique identifier that comes from your computer when you access the internet. This can be used by some to even trace you back to your location, so it is important that this information doesn’t fall into the wrong hands. Among other things, your IP is sort of like the fingerprint equivalent of your devices that connect to the internet. While it’s not necessarily private, if someone ties a direct IP to you personally, they can access information about online browsing habits, but most concerningly, your actual geographical location. 

16. Biometric identifiers such as fingerprints or voiceprints

As technology advances, biometric identifiers can be very harmful when they make their way into the hands of the wrong person. With the artificial facial construction technology known as deep fakes, hackers can now fully reconstruct an individual's likeness and use their voice print and other biometric identifiers to create fully functional digital identities used to impersonal individuals remotely. This was famously used back in 2019 when Carrie Fisher passed away midway through production of the Star Wars franchise movie, Rogue One. The producers hired a body double and then reconstructed her face and voice through previous images and voiceprints. While this technology is impressive in that context, it also has created a sort of digital identity theft that allows hackers to blackmail and even impersonate individuals remotely. 

17. Full-face photos

At face value (no pun intended), a portrait or selfie circulating around might not seem like the end of the world, but this in conjunction with other forms of PHI can create the perfect means for a fake online profile or as explored above, very convincing fraudulent digital images and material. To reiterate, context is key here. Only images taken by your healthcare provider or used in a healthcare context would be considered PHI.

18. Any other unique identifying numbers, characteristics or codes 

Think of these as sort of a catch all for any other identifier that couldn’t be categorized; a sort of “etc.” or “miscellaneous.” Basically, if there is a number that can be tied directly back to you for identification purposes given to you by your healthcare provider, it’s PHI. This goes back to the phrase individually identifiable health information. Essentially, any information that can be traced back to an individual that was used in the context of healthcare can be considered PHI.

While there are a handful of areas within HIPAA that are left up in the air in terms of legal interpretation, it is quite helpful to have a cut and dry list of clearly outlined examples of PHI that are regulated under HIPAA. Not only does Accountable offer our blog as a resource for brushing up on all things HIPAA, we offer a complete administrative solution for HIPAA compliance to give you and your associates the assurance that you are fully protected in the event of a breach or audit. So what are you waiting for? Schedule a call with one of our HIPAA Compliance Specialists today or try it out for free today! 

Like what you see?  Learn more below

HIPAA has laid out a precise list of 18 different forms of protected health information, let's walk through each of those in depth below.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)