All 18 HIPAA Identifiers (PHI): Complete List with Examples

The Health Insurance Portability and Accountability Act defines Protected Health Information as individually identifiable health information created or received by covered entities or their business associates. Under HIPAA’s De-identification Standards, the “Safe Harbor” method requires removing 18 specific identifiers so data cannot reasonably identify a person.

This guide explains all 18 HIPAA identifiers with clear examples so you can recognize, remove, or properly protect them. Use it to strengthen PHI safeguards and support data privacy compliance across clinical workflows, analytics, research, and vendor exchanges.

Names

Any element of a person’s name can directly identify them and must be removed to de-identify PHI. This applies to the patient and to related individuals whose names appear in the record.

• Examples: full name, first/last name, middle name, initials, maiden name, alias, household member names, employer name listed in the chart.
• Practical tip: in narratives, replace names with neutral terms like “the patient” or role-based descriptors (for example, “caregiver”).

Geographic Identifiers

Geographic subdivisions smaller than a state can single out an individual, particularly when combined with health details. These must be removed or generalized.

• Examples: street address, apartment/unit number, city, county, precinct, ZIP code, and equivalent geocodes; latitude/longitude, GPS traces, map pins, and micro‑location data (for example, beacons).

ZIP code rule (Safe Harbor)

You may retain only the first three digits of a ZIP code if all ZIP codes with that prefix cover an area with more than 20,000 people; otherwise, the prefix must be replaced with “000.” When in doubt, remove ZIP codes entirely.

Dates

All elements of dates (except year) directly related to an individual are identifiers. This includes exact day and month, and, when present, time-of-day stamps.

• Examples: date of birth, admission date, discharge date, date of death, appointment date/time, specimen collection timestamp, imaging timestamp.

Ages 90 and older

Ages over 89 and any date elements indicating such age are identifiers. When de-identifying under Safe Harbor, aggregate these as “age 90 or older” rather than listing the exact age or birthdate.

Contact Numbers

Telephone numbers

Any telephone number tied to the patient record is an identifier and must be removed under Safe Harbor.

• Examples: mobile numbers, home and work lines, direct extensions, on-call numbers, voicemail call-back numbers.

Fax numbers

Fax numbers can uniquely identify a person or provider location and therefore are included in the 18 identifiers.

• Examples: clinic fax, home fax, departmental fax embedded in referral notes or forms.

Email addresses

Email addresses, whether personal or work, identify individuals and must be excluded to meet de-identification requirements.

• Examples: personal email, employer-issued email, role-based addresses when they point to a specific person in context.

Identification Numbers

These numeric or alphanumeric identifiers are common throughout billing, clinical documentation, and payer exchanges. Each must be removed for Safe Harbor de-identification.

• Social Security numbers: full SSN in any format.
• Medical record numbers: enterprise MRNs, chart numbers, patient IDs in EHRs or portals.
• Health plan beneficiary numbers: member IDs such as Medicare Beneficiary Identifiers and commercial plan IDs.
• Account numbers: patient account numbers, billing account IDs, claim numbers, financial account identifiers stored in the record.
• Certificate/license numbers: driver’s license, professional licenses, firearm permits, state ID numbers.
• Vehicle identifiers and serial numbers: VINs, license plate numbers, fleet IDs recorded in incident or transportation notes.

Biometric and Image Identifiers

Biometric identifiers

Biometric data can directly distinguish an individual and must be removed unless properly authorized and protected.

• Examples: fingerprint templates, voice prints, iris/retina patterns, palm or hand geometry, facial recognition templates.

Full-face photographs and comparable images

Images that reveal the full face—or are otherwise comparable in identifiability—are HIPAA identifiers. Context matters in determining whether an image is “comparable.”

• Examples: full-face portraits, ID-badge headshots, selfies attached to messages, images showing distinctive facial features.

Unique Codes and Web Identifiers

Modern records often include device, network, and online identifiers. These can tie activity back to a specific person and are part of the 18 identifiers.

• Device identifiers and serial numbers: medical implant serials, imaging device IDs, mobile device IDs captured by apps.
• Web URLs: links to patient portal pages, cloud file locations, or shared images that include unique tokens.
• IP address numbers: public or private IPs logged by telehealth platforms, patient portals, or remote monitoring systems.
• Any other unique identifying number, characteristic, or code: tracking codes, study IDs, barcodes, or hashed values derived from an individual’s identifiers. Safe Harbor excludes only re-identification codes that meet HIPAA’s specific conditions (not derived from PHI and not disclosed as a re-identification key).

Putting it all together

To de-identify under Safe Harbor, remove all items listed above and ensure you lack actual knowledge that remaining data could identify the person. When removal would impair utility, consider the Expert Determination method. Either way, implement administrative, technical, and physical PHI safeguards to maintain data privacy compliance.

FAQs.

What are the 18 HIPAA identifiers?

They are the specific data elements that can identify a person within health records: names; geographic subdivisions smaller than a state; all elements of dates (except year) plus ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers; full-face photographs and comparable images; and any other unique identifying number, characteristic, or code.

How is PHI protected under HIPAA?

Covered entities and their business associates must apply administrative, technical, and physical safeguards, follow the minimum necessary standard, manage access controls and audit logs, train workforce members, execute business associate agreements, assess risks, and report incidents as required. For de-identification, they must either remove all 18 identifiers under Safe Harbor or use Expert Determination to document a very small re-identification risk.

Can biometric data be considered PHI?

Yes. Biometric identifiers—such as fingerprints, voice prints, iris or retina patterns, hand geometry, and facial recognition templates—are explicitly listed among the 18 HIPAA identifiers. If such data is created or received by a covered entity or business associate in relation to health care or payment, it is PHI and requires appropriate safeguards.

What are examples of geographic identifiers under HIPAA?

Street address, apartment or unit number, city, county, precinct, ZIP code, and precise geocodes (including GPS coordinates) are geographic identifiers. Under Safe Harbor, only the first three ZIP digits may be retained if the combined area exceeds 20,000 people; otherwise the ZIP must be replaced with “000.”