18 HIPAA PHI Identifiers Explained with Real‑World Scenarios and Examples

Names and Identity Details

These identifiers directly link a person to health information. Under the Health Insurance Portability and Accountability Act, any data that includes one or more of these items in connection with health details is Protected Health Information. Treat them as sensitive to uphold patient confidentiality and medical data security.

1. Names

Names of the individual, relatives, employers, or household members are PHI when tied to health data. Even partial names can single someone out in small populations.

• Scenario: A clinic posts a surgery schedule with patient names on a hallway whiteboard.
• Examples: “Maria Thompson—CT at 10 a.m.”; discharge instructions addressed to “Mr. Lee” in a public area.

8. Medical record numbers

Unique numbers assigned by an EHR or practice management system identify a patient even without a name.

• Scenario: A research extract includes MRNs and diagnoses for analysis.
• Examples: “MRN 004512897” in lab CSVs; MRNs printed on specimen labels.

10. Account numbers

Financial or portal account numbers can directly link records to a patient.

• Scenario: Billing statements emailed with visible patient account numbers.
• Examples: “Patient Acct: 7653321” on explanation-of-benefits PDFs; fundraising lists referencing donor-patient accounts.

18. Any other unique identifying number, characteristic, or code

Catch‑all for custom IDs that could enable identification. Codes that are derived from personal data (for example, hashing an email) can still be identifying.

• Scenario: A study uses a code built from initials and birth month to tag records.
• Examples: “PT‑JDS‑07” in spreadsheets; a referral ID that embeds part of an MRN.

Geographic Location Data

2. Geographic subdivisions smaller than a state

Street address, city, county, precinct, ZIP code, and similar geocodes are PHI. For de‑identification, only the first three ZIP digits may remain if the combined area has a sufficiently large population; otherwise, use “000.”

• Scenario: EMS run sheets listing exact pickup addresses are shared for quality review.
• Examples: “123 Maple Street, Springfield, 011”; clinic flyers thanking patients by neighborhood.

Date-Related Identifiers

3. All elements of dates (except year) related to an individual; ages over 89

Specific dates for birth, admission, discharge, death, appointments, and similar events are PHI. Ages over 89 and any related date details must be grouped as “age 90 or older” to meet de‑identification standards.

• Scenario: A press release notes “our 100‑year‑old patient discharged on March 4.”
• Examples: “DOB: 05/22”; “Admitted: 7/14, ICU.”

Contact Information

4. Telephone numbers

Direct lines, mobile numbers, and voicemail callback numbers can identify a patient or family member.

• Scenario: Telehealth logs export caller phone numbers with visit reasons.
• Examples: “Call back 555‑812‑0909”; caregiver’s phone listed in chart notes.

5. Fax numbers

Fax headers and stored fax contacts often include patient or employer identifiers.

• Scenario: A lab auto‑faxes results; the recipient forwards the fax image to a vendor.
• Examples: “Fax: 555‑644‑3001” on referral coversheets; pharmacy fax lines tied to a patient record.

6. Email addresses

Personal or work emails linked to health details are PHI, including portal invitation emails.

• Scenario: A CSV of portal users includes emails and medication lists.
• Examples: “andrew.smith@gmail.com”; caregiver email attached to care plans.

14. Web URLs

URLs that point to patient‑specific portals, images, or documents can expose identity.

• Scenario: A help ticket pastes a direct link to a patient’s imaging study.
• Examples: “/patient/12345/results”; download links containing unique tokens.

15. IP address numbers

IP addresses collected by portals, apps, or devices may identify a specific person or household when tied to health activity.

• Scenario: Remote monitoring dashboards log IPs with blood‑pressure readings.
• Examples: “198.51.100.24” in access logs; home router IP tied to telehealth sessions.

Government and Insurance Identifiers

7. Social Security numbers

SSNs are highly sensitive and frequently used to match or link records across systems.

• Scenario: Legacy intake forms store SSNs used for payer eligibility checks.
• Examples: “SSN: 123‑45‑6789” on registration scans; SSN fragments in notes.

9. Health plan beneficiary numbers

Identifiers on insurance cards connect coverage to a specific patient.

• Scenario: A claims file includes member IDs and procedure codes.
• Examples: “Member ID: HMO‑A3Z‑8472”; Medicare Beneficiary Identifiers.

11. Certificate/license numbers

Government‑issued IDs such as driver’s licenses, state IDs, or passport numbers can directly identify an individual.

• Scenario: Registration staff scan driver’s licenses into the EHR.
• Examples: “DL: S123‑4567‑8901”; passport number on travel clinic records.

Device and Vehicle Identifiers

12. Vehicle identifiers and serial numbers, including license plates

Vehicle data can reveal identity, particularly in small communities or specific events.

• Scenario: Accident reports list a patient’s car make, VIN, and plate.
• Examples: “VIN 1HGCM82633A004352”; ambulance plate in transfer notes.

13. Device identifiers and serial numbers

Serial numbers for implants, wearables, or home medical equipment can uniquely identify a patient.

• Scenario: A pacemaker device log is exported for vendor support.
• Examples: Implant serial numbers; CPAP machine IDs in compliance reports.

Visual and Biometric Identifiers

16. Biometric identifiers (including finger and voice prints)

Biometrics used for authentication or clinical purposes are PHI when linked to health data.

• Scenario: A call center stores voice prints for patient verification.
• Examples: Fingerprint scans for medication dispensing; iris templates.

17. Full‑face photographs and comparable images

Images that show the full face or other uniquely identifying features are PHI, even if no name appears.

• Scenario: A wound photo posted in a training chat shows the patient’s face.
• Examples: Bedside selfies; high‑resolution images that reveal tattoos.

Conclusion

Understanding HIPAA identifier categories helps you spot risk fast, apply de‑identification standards correctly, and strengthen data privacy compliance. When any of these identifiers are linked to health details, treat the data as PHI and design safeguards that minimize exposure while preserving clinical and operational value.

FAQs.

What are the 18 HIPAA PHI identifiers?

The 18 identifiers are:

1. Names
2. Geographic subdivisions smaller than a state (street, city, county, precinct, ZIP, and similar geocodes)
3. All elements of dates (except year) related to an individual; ages over 89
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. IP address numbers
16. Biometric identifiers (for example, finger and voice prints)
17. Full‑face photographs and comparable images
18. Any other unique identifying number, characteristic, or code

How can real-world scenarios help understand PHI identifiers?

Concrete scenarios show how routine workflows—like posting schedules, sharing imaging links, exporting audit logs, or scanning IDs—can unintentionally expose identifiers. When you visualize where identifiers appear in the wild, you can redesign forms, scrub exports, and harden medical data security controls that prevent leakage while maintaining patient confidentiality.

What measures protect PHI under HIPAA?

Combine policy and technical safeguards: minimize collection, restrict access on a need‑to‑know basis, encrypt data at rest and in transit, log and review access, use role‑based permissions, and train staff to recognize PHI in free text and attachments. Regular risk assessments, vendor due diligence, and incident response plans help you sustain data privacy compliance across systems.

How is de-identification achieved for patient data?

HIPAA allows two methods. Safe Harbor removes all 18 HIPAA identifiers (for example, specific dates, sub‑state geography, SSNs, MRNs) and applies special rules like aggregating ages 90+ and using “000” for restricted ZIP prefixes. Expert Determination uses a qualified expert to assess and document that the re‑identification risk is very small given the data, context, and controls, often with statistical techniques and contractual safeguards.