HIPAA Protected Health Information (PHI) List: The 18 Identifiers Explained

Understanding the HIPAA Privacy Rule starts with knowing exactly which health information identifiers transform ordinary data into protected health information (PHI). The rule recognizes 18 protected data elements. If any of them can identify an individual in connection with health care, you must treat the data as PHI. Under the De-identification Standards, you either remove these identifiers (Safe Harbor) or apply Expert Determination to manage re-identification risk.

This guide explains each identifier in plain language and shows how you can approach PHI compliance with practical data masking techniques and identifier aggregation protocols without adding friction to care, operations, or research.

Names and Geographic Subdivisions

1) Names

Any personal name—first, last, middle, initials, aliases, or maiden names—makes health information identifiable. That includes patient, family, and household member names, as well as names of employers or contacts tied to the individual’s care.

Compliance and masking tips

• Redact full names or replace them with random tokens that cannot be reversed.
• When you must link records internally, store the key separately and never disclose it.

2) Geographic subdivisions smaller than a state

Street address, building name, apartment numbers, city, county, precinct, and ZIP code are PHI when linked to health information. Under Safe Harbor, you may retain only the first three digits of a ZIP code if the combined area of all ZIP codes sharing those digits has a population of at least 20,000; otherwise, replace the ZIP with 000. Geocodes and precise map coordinates also qualify as protected data elements.

Identifier aggregation protocols

• Generalize location to the state or larger region.
• Use three‑digit ZIP generalization with the 20,000-population threshold when Safe Harbor applies.

Date and Age-Related Identifiers

3) All elements of dates (except year) and ages over 89

Exact dates tied to an individual—birth, admission, discharge, death, appointment, specimen collection, and full timestamps—are PHI. Safe Harbor allows the year alone, but all ages over 89 (and any date elements revealing that age) must be aggregated to “age 90 or older.”

Compliance and masking tips

• Suppress day and month; retain year only when appropriate.
• Bucket ages (e.g., 0–4, 5–9, …, 85–89, 90+) to meet de-identification standards.
• Date shifting can support utility but requires Expert Determination, not Safe Harbor.

Contact and Communication Identifiers

4) Phone numbers

Any personal or work phone number—including mobile, landline, and VoIP—linked to health data is PHI.

5) Fax numbers

Fax numbers used for transmitting or receiving health information are PHI, even when assigned to a workplace.

6) Email addresses

Personal, school, and work emails are PHI when they can identify a person in a health context.

Data masking techniques

• Redact or tokenize contact points; store routing details separately.
• Avoid embedding identifiers in message headers, signatures, or file names.

Government and Health Plan Identifiers

Government-issued identifiers

• 7) Social Security numbers: Treated as highly sensitive; never share externally.
• 11) Certificate/license numbers: Driver’s license, professional licenses, firearms permits, and similar numbers.

Healthcare and financial identifiers

• 8) Medical record numbers: Internal MRNs and chart IDs uniquely identify patients.
• 9) Health plan beneficiary numbers: Plan IDs, Medicare/Medicaid identifiers, and member numbers.
• 10) Account numbers: Billing, patient portal account IDs, and financial account numbers tied to care.

PHI compliance practices

• Apply least-privilege access and strong audit trails for these high-risk health information identifiers.
• Use irreversible hashing or tokenization; never expose raw identifiers in analytics extracts.

Device and Vehicle Identifiers

12) Vehicle identifiers and serial numbers

VINs, license plates, fleet IDs, and serial numbers can single out an individual when tied to treatment or services (for example, ambulance records).

13) Device identifiers and serial numbers

Unique device identifiers (UDI), implanted device serials, or equipment IDs associated with a specific patient are PHI.

Data masking techniques

• Replace full identifiers with nonreversible tokens; retain only device class or make/model if needed.

Biometric and Photographic Identifiers

16) Biometric identifiers (e.g., finger and voice prints)

Fingerprints, palm prints, retinal/iris scans, facial geometry templates, and voice prints are PHI because they uniquely identify an individual.

17) Full-face photographic images and comparable images

Full-face photos and any comparable images that enable recognition (e.g., clear profile shots) are PHI, even without names or dates.

De-identification standards

• Crop or blur identifying features; if recognition remains likely, treat the image as PHI.

Other Unique Identifiers Under HIPAA

14) Web Universal Resource Locators (URLs)

Patient portal links, tracking links, or document URLs that contain IDs, names, or tokens tied to a person are PHI.

15) Internet Protocol (IP) address numbers

IP addresses linked to a specific individual’s health interactions or devices are PHI.

18) Any other unique identifying number, characteristic, or code

This catchall includes internal record locators, barcodes, or codes that could identify a person. HIPAA allows a covered entity to keep a re-identification code internally, but it cannot be derived from the individual’s information and must not be disclosed with the dataset.

Taken together, these protected data elements define the HIPAA Protected Health Information (PHI) list. For robust PHI compliance, combine sound governance with practical data masking techniques and identifier aggregation protocols—removing or generalizing identifiers under Safe Harbor or using Expert Determination when you need higher data utility.

FAQs

What are the 18 HIPAA PHI identifiers?

1) Names; 2) Geographic subdivisions smaller than a state (including street address and ZIP rules); 3) All elements of dates (except year) and ages over 89; 4) Phone numbers; 5) Fax numbers; 6) Email addresses; 7) Social Security numbers; 8) Medical record numbers; 9) Health plan beneficiary numbers; 10) Account numbers; 11) Certificate/license numbers; 12) Vehicle identifiers and serial numbers; 13) Device identifiers and serial numbers; 14) Web URLs; 15) IP address numbers; 16) Biometric identifiers (e.g., finger and voice prints); 17) Full-face photographic images and comparable images; 18) Any other unique identifying number, characteristic, or code.

How does HIPAA define protected health information?

PHI is individually identifiable health information—any data that identifies or could reasonably identify a person and relates to past, present, or future physical or mental health, the provision of care, or payment for care—when created, received, maintained, or transmitted by a covered entity or business associate.

Can PHI be disclosed without authorization?

Yes, in specific circumstances permitted by the HIPAA Privacy Rule, including treatment, payment, and health care operations; when required by law; for certain public health and health oversight activities; for limited research under a waiver or data use agreement; and for emergencies or specific law-enforcement and judicial purposes. Always apply the minimum necessary standard where it applies.

How does de-identification affect PHI status?

Once data are de-identified under HIPAA, they are no longer PHI. You can achieve this via Safe Harbor (remove all 18 identifiers and have no actual knowledge of identifiability) or via Expert Determination (a qualified expert documents that the risk of re-identification is very small and describes the methods used). Re-identification codes must be kept separate and undisclosed.