How Many Identifiers Are Considered PHI by HIPAA? 18 Identifiers Explained

Overview of HIPAA and PHI

Under the Health Insurance Portability and Accountability Act (HIPAA), Protected Health Information (PHI) is any individually identifiable health information related to a person’s past, present, or future health status, care, or payment. If data can identify an individual, it triggers Health Information Privacy obligations and HIPAA Compliance requirements.

HIPAA’s de-identification standards center on an explicit Identifier List. When you remove the 18 identifiers described below (the “Safe Harbor” method) or obtain an expert determination that the risk of identification is very small, the data is no longer considered PHI. Until then, it must be safeguarded with appropriate Health Data Security controls.

List of 18 PHI Identifiers

The following 18 elements are treated as identifiers under HIPAA’s Safe Harbor. If any are present and can identify an individual, the data is PHI.

Names.

Geographic subdivisions smaller than a state (for example, street address, city, county, precinct, ZIP code) and equivalent geocodes, with a limited ZIP code exception described below.

All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death) and all ages over 89, which must be aggregated into a single category of age 90 or older.

Telephone numbers.

Fax numbers.

Email addresses.

Social Security numbers.

Medical record numbers.

Health plan beneficiary numbers.

Account numbers.

Certificate or license numbers.

Vehicle identifiers and serial numbers, including license plate numbers.

Device identifiers and serial numbers.

Web URLs.

IP address numbers.

Biometric identifiers, including finger and voice prints.

Full-face photographic images and any comparable images.

Any other unique identifying number, characteristic, or code (except as permitted for re-identification under HIPAA).

Geographic and Date-Based Identifiers

Geographic data is PHI when it can identify a person. HIPAA treats street address, city, county, and full ZIP code as identifiers. The sole ZIP code exception allows you to keep the first three digits only if the combined population of all ZIP codes sharing those three digits exceeds 20,000; otherwise, you must list the first three digits as 000.

Dates are sensitive because they can enable linkage attacks. In de-identified data, you must remove all elements of dates directly related to an individual—day, month, and exact dates—while retaining the year. For individuals over 89, you must generalize the age to “90 or older,” and you may not include the year of birth if it would make the person identifiable.

Unique Numeric and Biometric Identifiers

Numeric identifiers such as Social Security, medical record, health plan beneficiary, account, and certificate/license numbers directly tie records to a person. Vehicle and device identifiers (for example, a device serial number recorded in a procedure note) can also single out an individual when associated with health information.

Network identifiers matter, too. A portal URL or an IP address captured in logs can point back to a specific person or household. Biometric Data—specifically finger and voice prints under HIPAA—uniquely represent an individual’s biological patterns. Comparable identifiers (for example, distinctive physical characteristics) may be covered by the catch‑all identifier when they can identify someone.

Privacy and Security Implications

Because these identifiers enable recognition of a person, you must apply the minimum necessary standard, limit access, and enforce strong Health Data Security. Practical controls include encryption at rest and in transit, multi-factor authentication, device hardening, and continuous monitoring to detect unauthorized use or disclosure.

Context also matters. A seemingly harmless field (like a rare occupation in a small town) can become identifying when combined with other data. Regular risk analyses, audit logging, and prompt incident response are essential parts of HIPAA Compliance.

De-identification and Data Use

HIPAA provides two De-identification Standards. First, the Safe Harbor method requires the removal of all 18 identifiers, plus no actual knowledge that remaining data could identify someone. Second, Expert Determination allows a qualified expert to certify that the risk of re-identification is very small, given techniques and safeguards applied.

Limited data sets are a middle ground for research, public health, or operations. They exclude the direct identifiers listed above but may include city, state, ZIP code, and full dates. Limited data sets require a Data Use Agreement that restricts use, prohibits re-identification, and mandates safeguards.

Compliance Best Practices

Inventory PHI flows and systems; map where identifiers enter, move, and leave your environment.

Apply data minimization: collect only what you need, keep it only as long as necessary, and redact identifiers when feasible.

Implement role-based access, MFA, encryption, and endpoint protections; monitor with alerts and periodic access reviews.

Operationalize de-identification with standardized workflows, Safe Harbor checks, and expert review when needed.

Manage vendors with due diligence, Business Associate Agreements, and security attestations; verify least-privilege integrations.

Train your workforce on Health Information Privacy, handling of the Identifier List, and incident reporting; enforce with audits.

Maintain a tested incident response and breach notification plan, and document risk assessments and remediation steps.

In short, Protected Health Information (PHI) is any health information linked to one or more of the 18 identifiers. If you cannot remove or adequately generalize them, treat the data as PHI and protect it under HIPAA’s privacy and security rules.

FAQs.

What are the 18 identifiers considered PHI under HIPAA?

They are: names; geographic subdivisions smaller than a state (including street address, city, county, precinct, and full ZIP code, with the three‑digit ZIP exception); all elements of dates (except year) related to an individual and ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and license plates; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers (including finger and voice prints); full‑face photos and comparable images; and any other unique identifying number, characteristic, or code (except as allowed for re-identification).

How does HIPAA define biometric identifiers?

HIPAA explicitly lists biometric identifiers as including finger and voice prints. Other highly distinctive biological characteristics that can identify a person may fall under the catch‑all identifier when they function as unique identifiers in context.

Can geographic information be considered PHI?

Yes. All geographic subdivisions smaller than a state are identifiers, including street address, city, county, precinct, and full ZIP code. You may retain only the first three ZIP digits if the combined population for those three digits exceeds 20,000; otherwise, report 000 for the first three digits.

How are dates treated under HIPAA PHI rules?

All date elements (except year) directly related to an individual—such as birth, admission, discharge, and death dates—must be removed for Safe Harbor de-identification, and ages over 89 must be grouped as 90 or older. Year-only may remain, provided it does not otherwise make the person identifiable. Limited data sets, with a Data Use Agreement, may include full dates.