Decoding HIPAA: Understanding Protected Patient Identifiers

Overview of Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associate under the Health Insurance Portability and Accountability Act. PHI links a person to their past, present, or future physical or mental health status, care, or payment for care.

Covered entities include health plans, healthcare clearinghouses, and most healthcare providers, while business associates support those entities in handling PHI. In day-to-day operations and data sharing, strong healthcare data privacy practices are required to minimize risk and honor patient expectations.

To remove direct identifiers, HIPAA provides PHI de-identification pathways. Understanding which data points are treated as unique patient identifiers helps you decide what must be removed or protected before using information for analytics, research, or operations.

Listing the 18 HIPAA Identifiers

HIPAA’s Safe Harbor method identifies 18 data elements that must be removed to deem a data set de-identified. These are considered direct identifiers because they can reasonably identify a person on their own or in combination with other data.

1. Names.
2. All geographic subdivisions smaller than a state (for example, street address, city, county, precinct, ZIP code, and equivalent geocodes).
3. All elements of dates (except year) directly related to an individual, including birth, admission, discharge, and death; and all ages over 89 and all elements of such ages (unless aggregated as 90 or older).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web Universal Resource Locators (URLs).
15. Internet Protocol (IP) addresses.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographs and any comparable images.
18. Any other unique identifying number, characteristic, or code (except a permitted re-identification code).

Identifying Geographic and Date Elements

Geographic elements

Geographic subdivisions smaller than a state—such as street address, city, county, or precinct—are direct identifiers. ZIP codes are also identifiers, with one limited exception: the initial three digits may be used only when the combined area for those three digits includes at least 20,000 people; otherwise, the three-digit ZIP must be replaced with 000.

Date elements

All elements of dates directly related to an individual (other than the year) are identifiers. That includes month and day, and any more granular timestamps such as hours and minutes for admissions, discharges, procedures, births, and deaths. Ages over 89, and any date elements that reveal such advanced age, must be aggregated into a single 90-or-older category.

Recognizing Contact and Account Identifiers

Contact points

Telephone numbers, fax numbers, and email addresses are direct identifiers because they provide a reliable way to contact a specific person. In the digital realm, URLs and IP addresses can also function as unique patient identifiers by pointing to a personal web resource or a device linked to an individual.

Account and administrative numbers

Social Security numbers, medical record numbers, health plan beneficiary numbers, and financial account numbers are highly sensitive. Certificate or license numbers (for example, a professional or driver’s license) also identify a person and must be removed or protected under HIPAA.

Related device and vehicle identifiers

Vehicle identifiers and license plates, as well as device identifiers and serial numbers, can uniquely tie records to a person through ownership or use. Even without names, these values can enable re-identification when combined with other data.

Addressing Biometric and Photographic Data

Biometric identifiers—such as finger and voice prints—are direct identifiers because they are inherently unique to an individual. Other modalities used for identification (for example, faceprints derived from facial recognition) should be treated with the same caution when they can identify a person.

Full-face photographs and comparable images are direct identifiers. If you must disclose or publish images, remove or obscure the face and any distinctive features (such as unique tattoos or scars) that could reasonably identify a person, and ensure image metadata does not reveal identity.

Understanding PHI Beyond Electronic Records

PHI is not limited to electronic records. It includes information in any form or medium—paper, digital, or oral—when handled by a covered entity or business associate. While the Security Rule targets electronic PHI, the Privacy Rule governs PHI broadly, regardless of format.

How PHI de-identification works

• Safe Harbor: remove all 18 identifiers and ensure the covered entity has no actual knowledge that remaining information could identify an individual.
• Expert Determination: a qualified expert applies accepted statistical or scientific methods to determine that the risk of re-identification is very small, documenting the analysis and controls.

Choosing the right path depends on your use case, data utility needs, and organizational risk tolerance.

Exclusions from PHI Coverage

Not all health-related information is PHI. These common exclusions help you scope obligations accurately while maintaining strong healthcare data privacy practices.

• De-identified data produced via Safe Harbor or Expert Determination.
• Employment records held by a covered entity in its role as an employer (for example, ADA accommodations documentation in HR files).
• Education records covered by FERPA and treatment records of students maintained by educational institutions.
• Individually identifiable health information about a decedent more than 50 years after death.
• Consumer health data collected by apps or devices that are not acting on behalf of a covered entity or business associate; while not PHI, other privacy laws may apply.

FAQs.

What Are the 18 HIPAA Patient Identifiers?

They are the specific data elements HIPAA designates as direct identifiers: names; smaller-than-state geographic details; date elements (except year) and ages over 89; phone, fax, and email; Social Security, medical record, health plan beneficiary, account, and certificate/license numbers; vehicle and device identifiers; URLs and IP addresses; biometric identifiers; full-face photos; and any other unique identifying number or code.

How Is PHI Protected Under HIPAA?

Covered entities and business associates must implement administrative, physical, and technical safeguards; apply the minimum necessary standard; manage access controls and audits; train workforce members; execute business associate agreements; conduct risk analyses; and follow breach notification rules. These requirements protect PHI across paper, verbal, and electronic forms.

What Information Is Excluded from PHI?

De-identified data, employment records held by an employer, education records under FERPA, and individually identifiable health information about a decedent after 50 years are not PHI. Health data collected by apps or devices outside a covered entity relationship may also fall outside HIPAA, though other regulations can still apply.

How Do Biometric Identifiers Fit into HIPAA Rules?

Biometric identifiers—explicitly including finger and voice prints—are direct identifiers and must be removed for PHI de-identification or safeguarded when used for treatment, payment, or operations. If biometric templates or faceprints can identify a person, treat them as identifiers and secure them with rigorous access controls, encryption, and retention limits.