HIPAA PHI: Complete List of the 18 Identifiers You Need to Know

Overview of HIPAA PHI

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is any health-related information that identifies, or could reasonably identify, an individual. HIPAA treats a specific set of Health Information Identifiers as inherently identifying, which triggers strict HIPAA Compliance Requirements when such data is created, received, maintained, or transmitted by covered entities and business associates.

For de-identification, HIPAA permits two paths: Safe Harbor (remove the 18 identifiers and have no actual knowledge of identifiability) or Expert Determination (statistical assessment that the risk of re-identification is very small). Sound Identifier Aggregation Policies—such as grouping ages into ranges—support PHI De-identification Standards and strengthen Patient Data Security throughout your environment.

Detailed Explanation of 18 Identifiers

Names: First, last, maiden, initials, or any part of a person’s name that could identify them.

Geographic subdivisions smaller than a state: Street address, city, county, precinct, ZIP code, and equivalent geocodes. Nuances on ZIP codes are discussed in the next section.

All elements of dates (except year) related to an individual: Birth, admission, discharge, death, and ages over 89. Details and aggregation rules follow below.

Telephone numbers: Any personal or work phone that can reach the individual.

Fax numbers: Traditional or online fax identifiers associated with the person.

Email addresses: Personal, work, alias, or forwarding addresses.

Social Security numbers: Full or partial if it can identify the person when combined with other data.

Medical record numbers: Unique numbers assigned within clinical systems or EHRs.

Health plan beneficiary numbers: Member IDs, subscriber IDs, and related plan identifiers.

Account numbers: Financial, billing, patient portal, or internal account identifiers.

Certificate/license numbers: Professional licenses, driver’s license numbers, and similar credentials.

Vehicle identifiers and serial numbers: VINs, license plate numbers, and other vehicle tags.

Device identifiers and serial numbers: Implant, monitor, or home-use medical device IDs and serials.

Web URLs: Links that point to a person’s profile, record, or page uniquely tied to them.

IP address numbers: Network addresses that can reasonably identify the individual or their household.

Biometric identifiers: Fingerprints and voice prints used for identification or authentication.

Full-face photographs and comparable images: Still images or video frames showing the full face.

Any other unique identifying number, characteristic, or code: Identifiers that single out a person, except internal re-identification codes permitted by HIPAA when stored separately.

Geographic Subdivisions and Dates

Geographic subdivisions smaller than a state

Street address, city, county, precinct, and ZIP code are PHI when linked to health data. HIPAA’s Safe Harbor allows only the first three digits of a ZIP code to remain if the area formed by those three digits has more than 20,000 people; otherwise, replace the three digits with 000. When in doubt, remove or generalize to the state level to meet PHI De-identification Standards.

All elements of dates related to an individual

All date elements linked to a person—day, month, and specific dates for birth, admission, discharge, and death—are PHI. You may disclose the year only. Ages over 89 and any date elements that imply age 90+ must be aggregated into a single “age 90 or older” category to prevent singling out very small populations, aligning with Identifier Aggregation Policies.

Contact and Account Identifiers

Direct contact channels

Telephone, fax, and email provide direct access to an individual, so they are PHI when connected to health information. Limit use under the minimum necessary standard, redact in free-text fields, and avoid copying these values into logs or test data.

Identity and account numbers

SSN, medical record numbers, health plan beneficiary numbers, and general account numbers uniquely tie records to individuals. Use tokenization, format-preserving encryption, or salted hashes; display only the last few characters to staff with a legitimate need under HIPAA Compliance Requirements.

Certificates and licenses

Professional licenses and government IDs (such as driver’s licenses) can trace back to a person. Validate necessity before collection, store separately from clinical notes, and purge on retention schedules to strengthen Patient Data Security.

Digital contact points

URLs and IP addresses can identify a person or their household when associated with health events. Avoid embedding live identifiers in hyperlinks or analytics beacons; rotate IP logs and scrub query strings that carry user-specific tokens.

Biometric and Photographic Identifiers

Biometric identifiers

Fingerprints and voice prints used for identity verification are PHI when linked to health data. Restrict enrollment, store templates securely (not raw images), and protect matching logs, which can reveal health-service usage patterns.

Photographic images

Full-face photos and comparable images—including video frames—are PHI. Remove or blur faces when images are needed for education or marketing, and strip metadata that could re-identify individuals. Apply consent workflows aligned with the HIPAA Privacy Rule before any permissible disclosure.

Legal and Security Implications

Privacy Rule and minimum necessary

The HIPAA Privacy Rule requires you to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose. Role-based access, data segmentation, and purpose-based policies help operationalize this principle for Health Information Identifiers.

Breach notification and enforcement

If unsecured PHI is breached, notify affected individuals, HHS, and in some cases the media without unreasonable delay and within 60 calendar days of discovery. Maintain incident response plans, risk assessments, and evidence logs to support investigations and demonstrate compliance.

Penalties and contracts

HIPAA enforcement uses tiered civil penalties with higher tiers for willful neglect, and criminal penalties may apply in egregious cases. Business Associate Agreements must bind vendors to appropriate safeguards, reporting duties, and PHI De-identification Standards.

Compliance and Safeguarding PHI

Data governance and inventory

• Map where PHI enters, flows, and leaves your systems; label fields containing the 18 identifiers.
• Define Identifier Aggregation Policies for dates, small geographies, and ages 90+ to reduce re-identification risk.

Access, security, and monitoring

• Apply least-privilege access, MFA, and network segmentation; encrypt PHI at rest and in transit.
• Deploy DLP, e-discovery, and logging to prevent exfiltration and to detect policy violations quickly.

De-identification and lifecycle controls

• Use Safe Harbor for routine sharing by removing all 18 identifiers, or use Expert Determination for richer datasets.
• Implement retention, disposal, and irreversible destruction procedures for backups, exports, and test data.

Training and vendor management

• Train workforce members on recognizing PHI, especially in free-text and images, and on the minimum necessary rule.
• Vet vendors, execute BAAs, and require secure handling of PHI in integrations, analytics, and support tickets.

Conclusion

Knowing the HIPAA PHI identifiers—and how geography, dates, contact data, biometrics, and images trigger obligations—lets you design processes that protect individuals while enabling care and operations. Combine clear policies, technical safeguards, and de-identification to meet HIPAA Compliance Requirements and strengthen Patient Data Security.

FAQs.

What are the 18 HIPAA identifiers for PHI?

The 18 identifiers are: names; geographic subdivisions smaller than a state; all elements of dates (except year) and ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; web URLs; IP address numbers; biometric identifiers (finger and voice prints); full-face photographs and comparable images; and any other unique identifying number, characteristic, or code (except permitted re-identification codes kept separately).

How does HIPAA define Protected Health Information?

PHI is individually identifiable health information—any information that relates to a person’s health status, provision of care, or payment for care, which identifies the individual or could reasonably be used to identify them. PHI can exist in any medium: electronic, paper, or oral.

Are biometric identifiers always considered PHI?

When biometric identifiers like fingerprints or voice prints are created, received, maintained, or transmitted by a covered entity or business associate in connection with healthcare, they are PHI. Even outside clinical systems, if biometrics are linked with health-related context, treat them as PHI under the HIPAA Privacy Rule.

What steps ensure compliance with HIPAA for these identifiers?

Inventory where the identifiers live; apply the minimum necessary rule; enforce role-based access and encryption; monitor with DLP and logging; train staff; execute BAAs with vendors; and use Safe Harbor or Expert Determination for de-identification. Establish clear Identifier Aggregation Policies for small geographies, detailed dates, and ages 90+ to reduce re-identification risk.