HIPAA PHI List: The 18 Identifiers of Protected Health Information (With Examples)

Overview of HIPAA PHI

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is any health information that identifies an individual and relates to past, present, or future physical or mental health, healthcare services, or payment for care. PHI can exist in any form—electronic, paper, or oral—and applies to covered entities and their business associates.

In practice, PHI equals health information plus one or more of the 18 unique identifiers on the HIPAA PHI list. If the identifiers are removed or the data is sufficiently de-identified, it is no longer PHI. This boundary guides day-to-day decisions about sharing, analyzing, and storing protected health data.

The concept of a Designated Record Set matters because it defines the records used to make decisions about individuals (for example, medical and billing records). Individuals have rights to access and obtain copies of PHI in that set, while organizations must safeguard it through strong health information security controls.

HIPAA has two complementary pillars: the Privacy Rule governs permissible uses and disclosures; the Security Rule sets administrative, physical, and technical safeguards for electronic PHI (ePHI). Both rules inform policies, technology choices, and audit readiness.

Detailed Explanation of the 18 Identifiers

Below is the definitive HIPAA PHI list. Presence of any item alongside health information makes the data identifiable under the Privacy Rule.

1. Names (full or partial names that can identify a person).
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent geocodes).
3. All elements of dates directly related to an individual except year (for example, birth, admission, discharge, death, and exact ages over 89; ages 90+ must be aggregated).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers (for example, patient billing or bank account numbers).
11. Certificate and license numbers (such as professional licenses or driver’s licenses).
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers (for example, implanted device serials).
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers (for example, fingerprints, voiceprints, retina or iris scans).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code that can identify an individual (except a re-identification code kept separately and not disclosed).

These unique identifiers apply regardless of where the information appears—EHRs, claims files, call recordings, images, or data extracts. If any are present with health details, the dataset is PHI.

Examples of PHI in Healthcare

Clinical care and documentation

Progress notes that include a patient’s name, date of birth, and diagnosis; operative reports with admission and discharge dates; radiology images containing embedded patient demographics are PHI because they pair health details with identifiers.

Revenue cycle and insurance

Claims forms listing health plan beneficiary numbers, procedure codes, dates of service, and subscriber addresses; prior authorization packets with medical record numbers and physician NPI references all constitute PHI.

Telehealth and patient portals

Secure messages that include email addresses, symptoms, and appointment dates; telehealth recordings with full-face images and IP addresses; portal downloads that carry account numbers and lab results are PHI.

Diagnostics, labs, and pharmacy

Lab reports with specimen collection dates and patient identifiers; pharmacy dispensing records tied to names, addresses, and refill dates; device data streams labeled with unique device identifiers are PHI.

Workforce, vendors, and operations

Call center recordings capturing names and birth dates; spreadsheets sent to a billing vendor with account numbers and diagnosis information; backups containing URL logs and medical record numbers all include PHI.

De-Identification and Its Importance

The HIPAA De-Identification Standard allows organizations to transform PHI into data that is no longer regulated as PHI. Two pathways exist. The Safe Harbor method removes all 18 identifiers (and does not have actual knowledge the person can be identified). The Expert Determination method uses statistical or scientific methods to ensure very small re-identification risk, with documented analysis by a qualified expert.

De-identification unlocks research, quality improvement, and analytics while reducing privacy risk and compliance burden. Still, organizations must manage residual risk—linkage attacks, rare disease outliers, and granular timestamps can re-identify individuals if not handled carefully.

A Limited Data Set is a middle ground: it excludes direct identifiers but may retain some dates and broad geography for research, public health, and operations under a data use agreement. It remains protected data and requires contractual and security controls.

Compliance Requirements for Handling PHI

Covered entities and business associates must implement policies that reflect permitted uses and disclosures, the minimum necessary standard, individual rights to access PHI in the designated record set, and appropriate authorization processes. Notice of Privacy Practices and workforce training are foundational.

Security requirements include risk analysis, role-based access, encryption of ePHI in transit and at rest, strong authentication, endpoint protection, vulnerability management, and audit logging. Incident response and breach notification procedures must address detection, containment, assessment, and timely notifications.

Vendor oversight is critical: business associate agreements should define permitted uses, safeguards, breach duties, and subcontractor obligations. Maintain inventories of systems containing PHI and apply change management and backup/restore controls to sustain health information security.

Be audit-ready. A HIPAA Compliance Audit will expect evidence such as current risk assessments, training records, BAAs, policy attestations, access logs, and remediation plans. Document decisions, justify minimum necessary uses, and keep records aligned with your operational realities.

Risks of PHI Disclosure

Unauthorized disclosure can cause identity theft and medical identity fraud, financial loss, and reputational harm for patients and organizations. It may trigger regulatory investigations, fines, and corrective action plans, along with litigation and loss of patient trust.

Operational impacts include downtime, data exfiltration, ransomware recovery costs, and long-tail obligations like credit monitoring and notification campaigns. Proactive controls cost far less than breach response.

Best Practices for PHI Protection

People and governance

• Assign accountable privacy and security leadership; establish a cross-functional governance committee.
• Deliver role-based training, phishing simulations, and clear reporting paths for incidents and near misses.
• Apply the minimum necessary standard in workflows and templates to reduce exposure.

Process and data lifecycle

• Inventory systems holding PHI; map data flows from intake to archival and destruction.
• Use data classification, retention schedules, and secure disposal to shrink the protected health data footprint.
• Embed privacy-by-design in new projects, including vendor selection and contract reviews.

Technology and controls

• Encrypt ePHI in transit and at rest; enforce multi-factor authentication and least-privilege access.
• Enable audit trails, anomalous access alerts, and data loss prevention for emails, cloud storage, and endpoints.
• Segment environments, patch routinely, and test backups and recovery.

Third parties and data sharing

• Sign and track BAAs; assess vendors’ safeguards, incident history, and subcontractor practices.
• When feasible, share de-identified data or a limited data set under a data use agreement rather than full PHI.

Conclusion

The HIPAA PHI list of 18 identifiers is the practical compass for privacy decisions. Use it to recognize PHI, apply the De-Identification Standard when appropriate, and align policies, security controls, and vendor management to reduce risk and excel in audits.

FAQs.

What information qualifies as PHI under HIPAA?

PHI is health information that identifies an individual (or could reasonably identify them) and relates to health status, care, or payment. If any of the 18 identifiers appear alongside health details, the information is PHI.

How are the 18 HIPAA identifiers used to protect privacy?

The identifiers define when data is identifiable and, therefore, regulated. Removing them under Safe Harbor—or reducing re-identification risk via Expert Determination—produces data that is no longer PHI, enabling safer sharing and analysis.

What does de-identified health information mean?

De-identified data has been processed so individuals are not identifiable. Under HIPAA, this is achieved by removing the 18 identifiers (and related conditions) or by expert analysis showing very small risk of re-identification.

What are the penalties for PHI violations?

Consequences range from corrective action plans and civil monetary penalties to, in egregious cases, criminal charges. Organizations also face breach notification costs, lawsuits, and significant reputational and operational damage.