HIPAA Protected Health Information (PHI): Definition and List of 18 Identifiers

Overview of Protected Health Information

Under the Health Insurance Portability and Accountability Act, protected health information is identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. It relates to an individual’s past, present, or future physical or mental health, the provision of care, or payment for care, and it can exist in electronic, paper, or oral form.

PHI sits within a designated record set—the records a healthcare organization uses to make decisions about individuals, such as medical and billing records. Information becomes PHI when an identifier can link health data to a specific person; once identifiers are removed under PHI de-identification standards, the data is no longer PHI.

The HIPAA Privacy Rule governs how PHI may be used and disclosed and establishes patient confidentiality obligations, including rights to access, request amendments, and receive an accounting of certain disclosures. Employment records held by a provider in its role as employer and education records covered by FERPA are not PHI.

Detailed Explanation of the 18 Identifiers

HIPAA’s Safe Harbor method requires removing the following 18 identifiers so the information is no longer reasonably identifiable. Each item below briefly describes why it can re-identify a person.

1. Names — Full or partial names can directly identify an individual.
2. Geographic subdivisions smaller than a state — Street address, city, county, precinct, and ZIP code can pinpoint location; limited three‑digit ZIP use applies only under the de-identification rule.
3. All elements of dates (except year) — Birth, admission, discharge, and death dates reveal identity; ages 90+ must be grouped as “90 or older.”
4. Telephone numbers — Personal and work numbers link records to a person.
5. Fax numbers — Legacy but still identifying contact details.
6. Email addresses — Unique contact points often tied to names.
7. Social Security numbers — Highly sensitive, unique identifiers.
8. Medical record numbers — Internal IDs that connect all clinical data.
9. Health plan beneficiary numbers — IDs assigned by insurers or plans.
10. Account numbers — Financial or system accounts associated with care.
11. Certificate/license numbers — Professional or personal licenses that identify individuals.
12. Vehicle identifiers and serial numbers — Including license plates that can trace ownership.
13. Device identifiers and serial numbers — Tie a person to a specific medical device.
14. Web URLs — May reference personal portals or profiles.
15. IP addresses — Can identify a user or household online.
16. Biometric identifiers — Including finger and voice prints used for authentication.
17. Full-face photographs and comparable images — Visual identifiers.
18. Any other unique identifying number, characteristic, or code — Catch-all for identifiers that can single out an individual.

Notes on PHI De-identification Standards

There are two recognized de-identification methods: (1) Safe Harbor, which removes all 18 identifiers and requires no actual knowledge of re-identification, and (2) Expert Determination, where a qualified expert documents that re-identification risk is very small given the data and safeguards.

Importance of PHI in Healthcare

PHI enables coordinated care, accurate diagnosis, billing integrity, and population health management. When you protect PHI, you preserve patient trust, support continuity across care teams, and reduce the risk of data misuse that can harm patients clinically, financially, or socially.

Strong stewardship of PHI also improves data quality and interoperability. Clear governance clarifies who may access identifiable health information, for what purpose, and under which conditions, reinforcing a culture of privacy across clinical, administrative, and research workflows.

Compliance Requirements Under HIPAA

Who must comply

Covered entities include healthcare providers that conduct standard electronic transactions, health plans, and healthcare clearinghouses. Business associates—vendors and partners that create, receive, maintain, or transmit PHI for covered entities—must meet parallel requirements through business associate agreements.

Privacy Rule obligations

• Use and disclosure rules for treatment, payment, and healthcare operations, plus required authorizations for other uses.
• Minimum necessary standard to limit PHI exposure to the least amount needed for the task.
• Patient rights: access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Notice of Privacy Practices and workforce training on patient confidentiality obligations.

Security Rule data security measures

• Administrative safeguards: risk analysis, risk management, policies and procedures, sanctions, and vendor oversight.
• Physical safeguards: facility access controls, secure workstations, device and media controls, and safe disposal.
• Technical safeguards: role-based access, multi-factor authentication, unique user IDs, automatic logoff, encryption in transit and at rest, integrity controls, and audit logging.
• Breach notification: incident response, investigation, timely notifications, and corrective action plans.

Examples of PHI in Medical Records

• Progress notes that include a patient’s name, medical record number, and diagnoses.
• Lab reports with specimen IDs linked to a date of birth and ordering provider.
• Imaging studies where full-face photographs or device identifiers appear in metadata.
• Claims and billing files containing health plan beneficiary numbers and account numbers.
• Appointment schedules listing addresses, phone numbers, and visit reasons.
• Patient portal messages referencing medications, conditions, and email addresses.
• Telehealth logs capturing IP addresses, timestamps, and clinical summaries.

Data stripped of the 18 identifiers or certified via expert determination falls outside PHI when re-identification risk is very small; however, you must maintain documentation of the de-identification method used.

Handling and Protecting PHI

Operational practices

• Apply least privilege and role-based access, verify identity before disclosure, and document release-of-information decisions.
• Train the workforce regularly, reinforce clean desk and screen-lock habits, and manage bring-your-own-device and remote work securely.
• Use standard forms for authorizations, honor patient preferences for confidential communications, and retain records per policy.
• Sanitize, shred, or securely purge media and paper; validate disposal vendors and chain of custody.

Technical and administrative data security measures

• Encrypt endpoints and servers, enforce multi-factor authentication, patch promptly, and monitor with centralized logging and alerts.
• Segment networks, safeguard APIs, and apply data loss prevention for email and file sharing.
• Back up PHI with tested restores, maintain disaster recovery plans, and document risk assessments and remediation.
• Execute business associate agreements, assess vendors annually, and track corrective actions to closure.

Consequences of PHI Breaches

Breaches can trigger regulatory investigations, civil monetary penalties, corrective action plans, and multi-year oversight. State attorneys general may pursue actions, and contractual penalties can follow from payer, employer, or research agreements.

Organizations also face operational disruption, breach-notification and credit monitoring costs, forensic and legal expenses, litigation exposure, reputational damage, and loss of patient and partner trust. Robust prevention, rapid detection, and disciplined response substantially reduce impact.

Conclusion

HIPAA Protected Health Information centers on identifiable health information tied to an individual. By understanding the 18 identifiers, applying the Privacy and Security Rules, and operationalizing strong safeguards, you fulfill legal duties, protect patients, and strengthen the reliability of healthcare data.

FAQs.

What qualifies information as protected health information under HIPAA?

Information qualifies as PHI when it is identifiable health information—data related to health status, care, or payment—that includes one or more identifiers and is created, received, maintained, or transmitted by a covered entity or business associate in any form.

How many identifiers are used to define PHI?

HIPAA recognizes 18 identifiers under the Safe Harbor method. Removing all 18 (and having no actual knowledge that the remaining information can identify a person) de-identifies the data; alternatively, a qualified expert may certify a very small re-identification risk.

What are the risks of improperly handling PHI?

Risks include regulatory penalties, lawsuits, contractual damages, costly breach notifications, operational downtime, and long-term reputational harm. Most incidents also erode patient trust and can expose individuals to fraud or discrimination.

How can covered entities ensure compliance with HIPAA PHI regulations?

Perform risk analyses, implement administrative, physical, and technical safeguards, train your workforce, enforce minimum necessary access, encrypt data, maintain business associate agreements, monitor with audits, and follow documented incident response and breach notification procedures.