HIPAA Identifying Information: What Counts as PHI? The 18 Identifiers Explained with Examples

Overview of HIPAA and PHI

HIPAA’s Privacy Rule protects “individually identifiable health information” held or transmitted by covered entities and their business associates. When health data can identify a person—or there is a reasonable basis to believe it could—it is protected health information (PHI).

PHI can exist in any form: electronic records, paper files, or spoken information. What makes it PHI is the combination of health details with HIPAA identifying information tied to an individual, not just the presence of medical facts.

Covered entities include providers, health plans, and clearinghouses, while business associates handle PHI for them. Meeting HIPAA compliance requirements involves documented policies, workforce training, vendor oversight, and layered PHI safeguards across administrative, physical, and technical controls.

Detailed Explanation of the 18 Identifiers

The Privacy Rule’s De-identification Standard lists eighteen data elements that make health information identifiable. Removing or managing these elements is central to compliant use and sharing.

1. Names — First and last names, initials with context, or any part of a name that could point to a specific person.
2. Geographic subdivisions smaller than a state — Street address, city, county, precinct, and ZIP Code. Safe Harbor allows only the first three ZIP digits when the combined area has more than 20,000 people; otherwise use 000.
3. All elements of dates (except year) related to an individual — Birth, admission, discharge, death, appointment dates, and exact ages. Ages over 89 must be grouped as “90 or older.”
4. Telephone numbers — Mobile, landline, direct extensions, or voicemail numbers tied to a person.
5. Fax numbers — Any fax number that links to an individual or their household.
6. Email addresses — Personal or work emails that can identify a patient, member, or subscriber.
7. Social Security numbers — Full or partial SSNs, including truncated forms that remain linkable.
8. Medical record numbers — Any internal record locator that uniquely identifies a patient within a system.
9. Health plan beneficiary numbers — Member IDs, subscriber IDs, and similar plan identifiers.
10. Account numbers — Billing accounts, patient portal accounts, or other finance-related accounts.
11. Certificate/license numbers — Driver’s licenses, professional licenses, or other issued credentials.
12. Vehicle identifiers and serial numbers — VINs, license plates, and device IDs embedded in vehicle systems.
13. Device identifiers and serial numbers — Implant serials, equipment IDs, or wearable device IDs when linkable to a patient.
14. Web URLs — Profile or portal URLs that reveal identity or access specific patient resources.
15. IP addresses — Static or dynamic IPs that can reasonably point back to an individual.
16. Biometric identifiers — Fingerprints, voiceprints, and similar biometric templates (e.g., retinal or iris scans).
17. Full-face photographs and comparable images — Any image enabling recognition of the individual.
18. Any other unique identifying number, characteristic, or code — Catch‑all category for custom IDs or traits; internal re-identification codes are only permitted when not derived from personal data and kept confidential.

These identifiers matter in context. A device serial number alone may be benign, but paired with treatment details it becomes PHI. Always consider re-identification risk when combining data points.

Examples of Identifying Information

Typical PHI combinations

• Clinic visit notes that include a name, birth date, and diagnosis.
• Insurance claim files listing member IDs, procedure codes, and dates of service.
• Patient portal messages containing email addresses, appointment details, and lab results.
• Radiology images with embedded metadata showing full-face photographs or medical record numbers.
• Remote monitoring feeds where a wearable’s device ID is tied to heart rate trends for a named patient.

Not PHI by itself (but can become PHI in context)

• Generic health education content with no identifiers.
• Aggregated statistics (e.g., readmission rates) when individuals cannot be singled out.
• Anonymized research data where the 18 identifiers are removed and re-identification risk is acceptably low.

Edge cases to evaluate

• De-identified datasets with rare conditions and fine-grained dates or locations can still expose identity.
• Hashed identifiers may still be PHI if the hash is reversible or linkable without sufficient controls.
• IP addresses collected by a provider’s website can be PHI when tied to appointment scheduling or symptom intake.

Importance of PHI Compliance

Strong PHI safeguards protect patients, preserve trust, and reduce breach costs. They also enable responsible data use for care coordination, quality improvement, and research.

Key HIPAA compliance requirements include risk analysis, least‑privilege access, encryption, auditing, retention and disposal standards, incident response, and business associate oversight. Applying the minimum necessary standard limits unnecessary exposure.

Embedding privacy by design helps you avoid violations: data mapping, role‑based access, identifier masking where feasible, and robust monitoring to detect anomalous access or exfiltration.

De-identification and Anonymization Techniques

Two paths under the De-identification Standard

• Safe Harbor — Remove all 18 identifiers and ensure the covered entity has no actual knowledge that remaining data could identify the person. This includes the three‑digit ZIP and age ≥90 rules.
• Expert Determination — A qualified expert applies statistical or scientific principles to conclude the re-identification risk is very small, documents methods, and establishes safeguards.

Practical techniques

• Generalization — Broaden granular values (e.g., convert exact dates to month or quarter; ages to ranges).
• Suppression — Remove outliers or small cells that can single out individuals.
• Pseudonymization — Replace direct identifiers with tokens not derived from personal data; keep the key separate.
• Perturbation — Apply noise or date-shifting to reduce linkage, preserving analysis utility while limiting re-identification risk.
• Aggregation — Report only at group levels that meet minimum counts to prevent singling out.

Technique choice depends on use case, data utility needs, and acceptable re-identification risk. Document decisions and controls, and reassess as datasets change or link to other sources.

Common Misconceptions about PHI

• “Only electronic data is PHI.” Paper and oral information can be PHI too.
• “Consent removes HIPAA obligations.” Authorizations enable certain uses but do not waive the Privacy Rule or security duties.
• “Encrypted data isn’t PHI.” It remains PHI; encryption is a safeguard and may provide safe harbor from breach notifications if keys are not compromised.
• “If I remove names, the data is de-identified.” Indirect identifiers like dates and locations can still enable re-identification.
• “HIPAA covers all health apps.” HIPAA applies to covered entities and their business associates. Some consumer apps may fall outside HIPAA yet still raise health information privacy concerns.
• “Small datasets are always safe.” Small cell sizes can increase identifiability and must be handled carefully.

Enforcement and Penalties for Violations

HIPAA is enforced by the Office for Civil Rights. Actions range from technical assistance to resolution agreements with corrective action plans and civil monetary penalties based on four tiers of culpability.

Penalties consider factors like the nature of the violation, number of individuals affected, harm caused, and organization size. State attorneys general can also enforce, and large breaches trigger individual notifications and public reporting.

Common pitfalls include insufficient risk analysis, weak access controls, lack of vendor management, and delayed breach response. Consistent training, audits, and documented processes reduce exposure.

Conclusion

Understanding HIPAA identifying information and the 18 identifiers helps you handle PHI correctly, design effective safeguards, and enable data use without compromising privacy. Use the De-identification Standard thoughtfully, minimize re-identification risk, and align operations to the Privacy Rule for durable compliance.

FAQs

What information is considered PHI under HIPAA?

PHI is health information that relates to a person’s condition, care, or payment and includes one or more identifiers that can identify the individual. It is protected when created or received by covered entities or business associates, regardless of format.

How many identifiers define PHI?

HIPAA’s De-identification Standard lists 18 identifiers. When these are present with health data, the information is considered identifiable and therefore PHI under the Privacy Rule.

Can geographic data be PHI?

Yes. Any geographic subdivision smaller than a state—such as street address, city, county, precinct, or ZIP Code—is identifying. Under Safe Harbor, only the first three ZIP digits may remain when the population threshold is met; otherwise they must be masked.

What is the importance of de-identification in HIPAA?

De-identification enables valuable analysis and sharing while protecting individuals. By removing the 18 identifiers or using expert methods to reduce re-identification risk, you can use data more freely and responsibly without compromising health information privacy.