Complete Guide to the 18 HIPAA Protected Health Information Identifiers

Overview of HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for Health Information Privacy by regulating how covered entities and business associates handle Protected Health Information (PHI). PHI is any health information that identifies an individual and is created or received by healthcare providers, plans, clearinghouses, or their vendors.

Under HIPAA, PHI typically resides in a Designated Record Set—medical, billing, and other records used to make decisions about you. The rule requires uses and disclosures to follow the “minimum necessary” standard, supports patient rights (access, amendments, accounting of disclosures), and mandates safeguards that uphold HIPAA compliance across people, processes, and technology.

Central to these protections are the 18 patient identifiers. When these identifiers are present with health data, the data is PHI. When they are properly removed or obscured using approved De-Identification Standards, the information is no longer PHI.

Detailed Explanation of Each Identifier

1. Names

Any full or partial name that could identify you—first, last, maiden, initials, or nicknames—qualifies. Even unusual combinations (e.g., first name plus rare profession) can re-identify someone.

2. Geographic subdivisions smaller than a state

Street address, city, county, precinct, ZIP code, and similar geocodes are identifiers. HIPAA allows only the initial three digits of a ZIP code if the geographic unit has more than 20,000 people; otherwise, the ZIP must be changed to “000.”

3. All elements of dates (except year) and ages over 89

Birth, admission, discharge, and death dates are identifiers when month or day is present. Ages over 89 and related date elements must be aggregated into a single “90 or older” category to reduce re-identification risk.

4. Telephone numbers

All phone numbers associated with you—mobile, landline, direct extensions, or call-back lines—are identifiers and must be removed or masked in de-identified datasets.

5. Fax numbers

Dedicated fax numbers, including electronic fax services linked to you or your household, are identifiers because they can connect health data to a specific person.

6. Email addresses

Personal or work email addresses identify you directly. Message content, headers, signatures, and embedded metadata can also reveal identifiers.

7. Social Security numbers

SSNs are highly sensitive identifiers. Even truncated or partially masked SSNs can raise re-identification risk if combined with other data.

8. Medical record numbers

MRNs uniquely link records to you within a provider or health system. They must not appear in de-identified outputs, screenshots, or logs.

9. Health plan beneficiary numbers

Policy IDs, member numbers, or subscriber identifiers associated with insurance coverage are protected and cannot be disclosed.

10. Account numbers

Numbers tied to your financial, patient, or portal accounts are identifiers. Tokenize or segregate these values in analytics environments.

11. Certificate or license numbers

Professional licenses, driver’s licenses, and similar credentials can single you out and must be removed from shared datasets.

12. Vehicle identifiers and serial numbers, including license plates

VINs, plate numbers, device telematics tied to a vehicle, and fleet IDs can reveal identity, especially in smaller communities.

13. Device identifiers and serial numbers

Implant or device serials, wearables’ IDs, and equipment barcodes can uniquely identify you or your treatment episode.

14. Web URLs

Links to patient portals, image viewers, or scheduling pages often embed unique tokens that identify you. Remove or generalize URLs.

15. IP address numbers

IP addresses logged during telehealth sessions, portal use, or remote monitoring can connect activity to a specific person or household.

16. Biometric identifiers (including finger and voice prints)

Fingerprints, palm prints, iris scans, facial geometry, and voice prints are highly sensitive Patient Identifiers. Strong Biometric Data Protection controls are required.

17. Full-face photographic images and comparable images

Any full-face photo or similar image that could identify you (e.g., distinctive tattoos in context) is protected and must not be disclosed.

18. Any other unique identifying number, characteristic, or code

This catch-all covers unique codes or features that could identify you. HIPAA permits a re-identification code if it is not derived from removed identifiers and the mechanism remains confidential.

Importance of Identifiers in PHI

Identifiers are the bridge between clinical data and your identity. When they are present with health information, the dataset is PHI and must follow HIPAA compliance rules. Removing them under approved De-Identification Standards allows data to be used for research, quality improvement, or public health with less privacy risk.

Accurate Patient Identifiers also support safety—matching you to the right chart, medication, and procedure. The challenge is balancing operational accuracy with Health Information Privacy so that only the minimum necessary identifiers are used and shared.

Compliance Requirements for Protected Data

To handle PHI lawfully, covered entities and business associates must implement administrative, physical, and technical safeguards and document how PHI within the Designated Record Set is used and disclosed.

• Administrative safeguards: risk analysis, policies, workforce training, sanctions, vendor management, and Business Associate Agreements.
• Physical safeguards: facility access controls, device/media controls, secure disposal, and protection of workstations and mobile devices.
• Technical safeguards: unique user IDs, multi-factor authentication, role-based access, encryption in transit and at rest, audit logs, and integrity controls.
• Minimum necessary and purpose limitation: access and disclose only the identifiers and data elements needed for the task.
• Patient rights: maintain processes for access, amendments, and disclosure accounting within required time frames.
• Incident response and breach notification: detect, investigate, mitigate, and notify as required; document all actions.

Methods to De-Identify PHI

Safe Harbor method

Remove all 18 identifiers from the dataset and ensure no actual knowledge remains that the data could identify you. Key elements include using only first three ZIP digits where population exceeds 20,000 (else “000”), aggregating ages 90+, and scrubbing free text, images, and metadata.

Expert Determination method

A qualified expert applies statistical or scientific principles to determine that the risk of re-identification is very small, documents methods and results, and recommends controls (e.g., k-anonymity thresholds, suppression, generalization, noise).

Related options and cautions

• Limited Data Set (LDS): allows certain elements (e.g., dates, city, state, ZIP) under a Data Use Agreement; it remains PHI and is not fully de-identified.
• Pseudonymization/tokenization: useful for analytics but still PHI unless Safe Harbor or Expert Determination criteria are met.
• Ongoing controls: apply access limits, data governance, and re-identification testing as your datasets evolve.

Risks of Identifier Exposure

Exposed identifiers can enable identity theft, financial fraud, stalking, discrimination, or reputational harm. In healthcare settings, misdirected messages, misconfigured cloud storage, compromised credentials, or vendor breaches are common causes.

Even without obvious identifiers, data can be re-identified by combining quasi-identifiers (e.g., rare diagnoses plus dates and locations). That is why Safe Harbor removal and Expert Determination controls are designed to lower linkage risks.

Best Practices for HIPAA Compliance

• Data inventory and classification: map where PHI and patient identifiers reside across applications, logs, images, and exports.
• Access management: enforce least privilege, multi-factor authentication, session timeouts, and rapid offboarding.
• Encryption and key management: encrypt PHI at rest and in transit; safeguard keys separately and rotate routinely.
• Secure engineering: prevent PHI in logs, redact screenshots, and automate Safe Harbor scrubbing of free text and images.
• Monitoring and DLP: use audit trails, anomaly detection, and data loss prevention to flag unusual access or exfiltration.
• Vendor oversight: execute Business Associate Agreements, review controls, and limit data sharing to the minimum necessary.
• Training and culture: deliver role-based training and simulate phishing; reinforce privacy-by-design in daily workflows.
• Lifecycle controls: set retention schedules and verify secure disposal for paper, media, and backups.

By rigorously managing the 18 identifiers, aligning with De-Identification Standards, and operationalizing safeguards, you can use health data responsibly while protecting privacy and maintaining HIPAA compliance.

FAQs

What are the 18 HIPAA identifiers?

They are: names; geographic subdivisions smaller than a state; all elements of dates (except year) and ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers (including plates); device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers (e.g., finger/voice prints); full-face photos and comparable images; and any other unique identifying number, characteristic, or code.

How do geographic subdivisions affect PHI?

Street address, city, county, precinct, and ZIP code are identifiers. For de-identification, you may keep only the first three ZIP digits if the area has more than 20,000 people; otherwise, replace the ZIP with “000.” Smaller geocodes that could pinpoint you must be removed.

What measures protect PHI under HIPAA?

Implement administrative, physical, and technical safeguards: risk analysis, policies, training, BAAs, controlled facility access, secure device/media handling, strong authentication, role-based access, encryption, auditing, minimum necessary disclosures, and a tested incident response process.

How is PHI de-identified?

Use either Safe Harbor—remove all 18 identifiers and ensure no actual knowledge of identifiability remains—or Expert Determination, where a qualified expert documents that re-identification risk is very small and recommends controls such as suppression, generalization, or noise. Limited Data Sets help reduce risk but remain PHI and require a Data Use Agreement.