HIPAA Unique Identifiers List: All 18 PHI Identifiers Explained

The HIPAA Unique Identifiers are the backbone of Protected Health Information (PHI) rules. Knowing exactly what they are helps you safeguard patient privacy, meet PHI compliance requirements, and apply the Safe Harbor De-Identification standard correctly.

Below, each identifier is explained in plain language with practical notes. Use this as a checklist when collecting, sharing, or de-identifying data across clinical systems, research repositories, data warehouses, and analytics pipelines.

Names and Personal Identifiers

These identifiers directly single out a person and are therefore high risk. Remove or mask them in any dataset meant to be de-identified.

1. Names

Any personal name—first, middle, last, maiden, alias, or nickname—identifies an individual. References to relatives’ names and household members are also identifying.

17. Full-face photographs and comparable images

Images that reveal identity (for example, full-face photos or similar facial images) are PHI. Cropping, blurring, or using silhouettes may reduce risk, but you must ensure no identifying features remain.

18. Other unique identifying numbers, characteristics, or codes

This catch‑all includes any unique code identifiers you create that could tie data back to an individual. Such codes remain PHI unless you meet HIPAA’s specific re-identification code conditions described below.

Geographic Subdivisions and Dates

Location and temporal details often re-identify people when combined with other data. HIPAA treats most granular geography and fine-grained dates as PHI.

2. Geographic subdivisions smaller than a state

Street address, city, county, precinct, and ZIP code are PHI. The only ZIP code exception is the “initial three digits” rule: you may keep the first three digits only if all ZIP codes sharing those digits have a combined population of at least 20,000; otherwise, use 000.

3. All elements of dates (except year) directly related to an individual

Month, day, and any precise dates for birth, admission, discharge, or death are PHI. Ages over 89 and any elements that reveal age in that range must be grouped into a single category of “age 90 or older.”

Contact Information Identifiers

Contact channels point back to specific people and are routinely logged by systems, making them easy linkage points.

4. Telephone numbers

Any phone number—including mobile, landline, direct extensions, or call-back numbers—counts as PHI when associated with health information.

5. Fax numbers

Fax numbers and fax transmission logs are PHI. Multifunction printers that store fax histories also require safeguards.

6. Email addresses

Personal or work email addresses identify individuals. Email headers, aliases, and distribution lists that reveal specific recipients are likewise PHI.

Government and Medical Record Identifiers

These numbers are strong identifiers and require strict controls in clinical, billing, and benefits systems.

7. Social Security numbers

SSNs are among the most sensitive identifiers and should never appear in de-identified datasets.

8. Medical record numbers

A Medical Record Number uniquely tags a patient within a provider’s system. It must be removed for Safe Harbor De-Identification.

9. Health plan beneficiary numbers

Any Health Plan Beneficiary Number links a person to a payer or plan and is PHI, even if truncated or formatted differently.

10. Account numbers

Financial or billing account numbers, patient portal account IDs, and related ledgers are PHI when tied to health information.

11. Certificate/license numbers

Driver’s licenses, professional licenses, and similar certificates identify a person and fall under the Safe Harbor list.

Vehicle, Device, and Biometric Identifiers

Technically oriented identifiers can still point to individuals through registrations, ownership, or authentication records.

12. Vehicle identifiers and serial numbers (including license plates)

VINs, registration numbers, and license plates are PHI when connected with health data (for example, accident-related care).

13. Device identifiers and serial numbers

Medical device serials, implanted device IDs, and consumer device identifiers can identify a person when associated with their records.

16. Biometric identifiers

Biometric data—such as finger or voice prints—used to authenticate or identify a person is PHI. Storage of biometric templates also requires PHI compliance controls.

Digital and Online Identifiers

Online traces can re-identify people through logs, analytics, and referral trails. Treat them as PHI whenever linked to health information.

14. Web URLs

URLs that reference a patient or session (for example, links containing a Medical Record Number or portal token) are PHI and should be redacted or rewritten.

15. IP address numbers

IP addresses—public or private—are PHI when tied to an individual’s health interactions, telehealth sessions, or patient portal use.

De-Identification and Safe Harbor Method

HIPAA recognizes two paths to de-identification: Expert Determination and the Safe Harbor method. Safe Harbor is a rules-based approach that you can apply consistently across systems.

How to apply Safe Harbor De-Identification

• Remove all 18 identifiers from structured fields, free text, images, and metadata.
• Apply the ZIP code “initial three digits” rule; use 000 where population thresholds are not met.
• Generalize dates to the year and aggregate ages over 89 into “90 or older.”
• Confirm you have no actual knowledge that remaining data could identify a person, alone or combined with other available data.
• If you retain a re-identification code, ensure it is not derived from PHI, cannot be used to contact the individual, and is disclosed only as permitted.

Operational tips for PHI compliance

• Scan narrative notes and attachments; identifiers often hide in free text, filenames, and image overlays.
• Standardize redaction across exports, logs, and backups to prevent leakage of unique code identifiers.
• Validate de-identification with sampling and re-identification risk checks before sharing data.

Bottom line: understand the 18 identifiers, remove or generalize them per Safe Harbor De-Identification, and verify there is no reasonable path to re-identification before release.

FAQs.

What are the 18 HIPAA unique identifiers?

1. Names
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP; with the three‑digit ZIP exception)
3. All elements of dates (except year) directly related to an individual; ages over 89 grouped as “90 or older”
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web URLs
15. IP address numbers
16. Biometric identifiers (for example, finger or voice prints)
17. Full-face photographs and comparable images
18. Any other unique identifying number, characteristic, or code

How does HIPAA define protected health information?

Protected Health Information (PHI) is individually identifiable health information—held or transmitted by a covered entity or business associate—that relates to a person’s health status, care, or payment and either directly identifies the person or could reasonably be used to identify them.

What is the Safe Harbor method for de-identification?

Safe Harbor De-Identification requires removing all 18 identifiers, generalizing dates to the year (with the 90+ age rule), applying the ZIP three-digit/000 rule, and confirming you have no actual knowledge that the remaining data could identify an individual. Optional re-identification codes are allowed only if not derived from PHI and not usable to contact the person.

Can geographic subdivisions be used as PHI identifiers?

Yes. Any geographic subdivision smaller than a state—such as street address, city, county, precinct, and most ZIP code details—is an identifier. You may retain only the ZIP’s first three digits when the aggregate population across those three-digit areas is at least 20,000; otherwise, substitute 000.