Beginner’s Guide to the 18 PHI Identifiers Under HIPAA

Overview of PHI Under HIPAA

Protected Health Information (PHI) is any patient identifiable data that relates to an individual’s past, present, or future health status, care, or payment and that can reasonably identify the person. Under the HIPAA Privacy Rule, PHI can exist in any format—paper, verbal, or electronic (ePHI)—and extends beyond clinical notes to billing records, call recordings, images, and device logs.

If you create, receive, maintain, or transmit PHI as a health plan, health care provider, or clearinghouse, you are a Covered Entity. Vendors handling PHI on your behalf are business associates. The HIPAA Security Rule sets baseline Health Information Security expectations for ePHI, requiring administrative, physical, and technical safeguards to reduce risk.

Practically, PHI is about both content and context: the same data (for example, a phone number) becomes PHI when it can be linked to a person’s health information within your environment. When you remove the identifiers that connect health data to an individual, the information may become de-identified and fall outside many HIPAA restrictions.

Detailed Explanation of Each PHI Identifier

Names: Any full or partial name that can identify a person, including initials when combined with other data.

Geographic subdivisions smaller than a state: Street address, city, county, precinct, and full ZIP code. Limited use of the first three ZIP digits may be permissible only when population thresholds are met; otherwise, they must be masked.

All elements of dates (except year) directly related to an individual: Birth, admission, discharge, and death dates; all ages over 89 must be grouped as 90 or older to reduce re-identification risk.

Telephone numbers: Any personal or work number that can link back to an individual.

Fax numbers: Often overlooked, but still a direct identifier in legacy workflows.

Email addresses: Personal or work emails, including aliases and departmental inboxes tied to a person.

Social Security numbers: A high-risk identifier that requires strong safeguards wherever stored or processed.

Medical record numbers: Any unique number assigned by a provider or facility to an individual’s chart.

Health plan beneficiary numbers: Member IDs from insurers or government programs.

Account numbers: Internal or external numbers tied to the individual (for example, patient portal accounts or billing accounts).

Certificate/license numbers: Driver’s licenses, professional license numbers, and similar credentials.

Vehicle identifiers and serial numbers: VINs and license plates associated with the individual.

Device identifiers and serial numbers: Unique IDs for implanted or personal devices traceable to a person.

Web URLs: Any URL that points to a resource uniquely associated with a specific individual.

IP address numbers: Static or dynamic IPs that can reasonably identify a person in context.

Biometric identifiers: Fingerprints, voiceprints, retinal/iris scans, and similar metrics.

Full-face photos and comparable images: Any image that can directly identify the person.

Any other unique identifying number, characteristic, or code: Catch-all category for identifiers not listed above; limited re-identification codes may be used if not derived from PHI and not disclosed externally.

Importance of De-Identification

De-identification lets you unlock value from data while reducing privacy risk and regulatory scope. When data no longer identifies an individual, it generally falls outside the HIPAA Privacy Rule, enabling safer sharing for analytics, quality improvement, and research.

De-Identification Standards

HIPAA recognizes two De-Identification Standards. Safe Harbor requires removing all 18 PHI identifiers and ensuring no actual knowledge of re-identification risk. Expert Determination relies on a qualified expert who applies statistical or scientific methods to conclude that the risk of re-identification is very small, with documented methods and assumptions.

Balancing Utility and Risk

Safe Harbor is straightforward but can reduce data utility (for example, generalizing dates or ZIP codes). Expert Determination can preserve more granularity while managing risk through techniques like generalization, suppression, and perturbation. Whichever path you choose, treat de-identification as an ongoing process, not a one-time task, especially when datasets evolve.

Limited Data Sets

A limited data set removes direct identifiers but may retain certain dates and geographies for specific purposes such as research or public health. It remains PHI and requires a Data Use Agreement. This option sits between fully identified PHI and fully de-identified data.

Compliance Requirements for Covered Entities

Build a comprehensive program aligned to the HIPAA Privacy Rule and Security Rule. Start with governance: assign privacy and security leadership, define roles, and document policies for access, use, and disclosure. Enforce the minimum necessary standard so users only see what they need.

Risk Assessment Procedures

Conduct an enterprise-wide risk analysis to identify where ePHI resides, how it flows, and the threats to confidentiality, integrity, and availability. Evaluate likelihood and impact, prioritize controls, and repeat assessments regularly or after major changes. Keep evidence of assessments and remediation.

Administrative, Physical, and Technical Safeguards

Train your workforce, manage user provisioning, and sanction violations. Control facility access, secure workstations and media, and apply device management. Implement technical safeguards such as unique user IDs, multi-factor authentication, role-based access, encryption in transit and at rest, and audit logging with routine review.

Third Parties and Data Lifecycle

Inventory vendors, execute business associate agreements, and verify their controls. Map data collection, sharing, retention, and disposal; use data minimization wherever possible. Maintain an incident response plan and a Data Breach Notification playbook that you can activate quickly.

Risks of Inadequate PHI Protection

Weak controls expose you and your patients to substantial harm. Attackers leverage phishing, credential stuffing, and ransomware to exfiltrate and encrypt ePHI, while cloud misconfigurations and unpatched systems create silent vulnerabilities. Lost or stolen devices and shadow IT widen exposure.

Insider threats—whether malicious or accidental—remain a leading cause of unauthorized access. Data linkage across public sources can re-identify poorly de-identified datasets. Beyond regulatory exposure, victims face identity theft and discrimination, and you face operational disruption and reputational damage.

Strategies to Secure PHI Data

Governance and Culture

• Establish clear ownership for privacy and security; align leadership on risk appetite and accountability.
• Embed privacy by design into product and workflow changes so PHI exposure is considered early.

Controls and Architecture

• Implement least-privilege, role-based access with multi-factor authentication and periodic access reviews.
• Encrypt ePHI in transit and at rest; use key management and strong hashing for sensitive identifiers.
• Segment networks, adopt zero trust principles, and monitor with SIEM and anomaly detection.
• Use data loss prevention to prevent exfiltration via email, web, and endpoints; mask or tokenize identifiers where feasible.

Operational Excellence

• Run continuous vulnerability management and patching; secure cloud baselines with configuration monitoring.
• Conduct tabletop exercises for incident response and Data Breach Notification so teams can act decisively.
• Train staff regularly on phishing, handling of patient identifiable data, and proper disposal of media.
• Apply De-Identification Standards to analytics pipelines; revisit expert assessments as datasets change.

Vendor and Data Ecosystem

• Perform due diligence on vendors and require right-to-audit clauses; monitor integrations and data sharing.
• Define retention and destruction schedules so PHI does not accumulate beyond business need.

Legal Consequences of PHI Breaches

Enforcement actions by the Office for Civil Rights can include civil monetary penalties assessed per violation, settlement agreements, and multi-year corrective action plans with monitoring. Penalty tiers consider factors like willful neglect, timeliness of correction, and organizational size.

Serious misconduct can trigger criminal liability for knowingly obtaining or disclosing PHI, and state attorneys general may bring actions under state law. Contractual fallout—lost customers, terminated agreements, and litigation—often exceeds regulatory fines. You must also follow applicable Data Breach Notification requirements, which can include notifying affected individuals and, in some cases, regulators and the media.

Bottom line: know the 18 PHI identifiers, apply sound de-identification, run disciplined risk assessments, and implement layered security to protect patients and your organization.

FAQs.

What Are the 18 PHI Identifiers?

The 18 identifiers are: names; geographic subdivisions smaller than a state (including street address, city, county, and full ZIP code); all elements of dates (except year) and ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers (including license plates); device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers; full-face photographs and comparable images; and any other unique identifying number, characteristic, or code.

How Does Removing PHI Affect Data Use?

When you de-identify data under Safe Harbor or Expert Determination, it generally falls outside the HIPAA Privacy Rule, enabling broader sharing for analytics and research with lower risk. Safe Harbor can reduce utility by generalizing or removing fields, while Expert Determination preserves more detail by demonstrating a very small re-identification risk. A limited data set is another option, but it remains PHI and requires a Data Use Agreement.

What Are the Penalties for HIPAA Violations?

Penalties range from corrective action and civil monetary penalties in tiered amounts per violation to criminal sanctions for intentional misconduct. Regulators consider factors like the organization’s culpability, whether violations were corrected promptly, and prior history. Many cases include settlement agreements and multi-year corrective action plans, and state authorities may also pursue remedies under state law.

How Can Organizations Ensure PHI Compliance?

Establish governance, document policies, and train your workforce; conduct ongoing risk assessment procedures; implement administrative, physical, and technical safeguards; manage vendors with business associate agreements; minimize data collection and retention; apply De-Identification Standards where appropriate; and prepare an incident response and Data Breach Notification plan that you test regularly.