How Many Identifiers Must Be Verified for HIPAA? No Fixed Number—Best Practice Is Two

HIPAA 18 Identifiers

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is any data that identifies an individual and relates to health status, care, or payment. The Safe Harbor Method for PHI de-identification requires the removal of the following 18 identifiers so the information is no longer considered PHI.

• Names.
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code), except limited three-digit ZIPs when population thresholds are met.
• All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death), and all ages over 89 unless aggregated as “age 90+.”
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate and license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP address numbers.
• Biometric identifiers (for example, finger and voice prints).
• Full-face photos and comparable images.
• Any other unique identifying number, characteristic, or code (except permitted re-identification codes).

These identifiers define what must be removed for PHI De-Identification. They do not dictate how many identifiers you must request to verify a person’s identity.

Recommended Identity Verification Practices

HIPAA requires Covered Entities and their Business Associates to take reasonable steps to verify identity and authority before disclosing PHI. HIPAA does not set a fixed count of identifiers. In practice, using two independent identifiers is a widely accepted patient-safety and privacy standard.

Best practice: use two identifiers

• Ask the individual to state—never confirm by suggestion—two data points such as full name and date of birth.
• Cross-check against source records (EHR, registration, or prior verified documents) as part of your Identity Verification Procedures.
• Avoid using easily observed data (for example, calling someone by name in the waiting room) as your sole verification factor.

In-person workflows

• Capture two identifiers from the patient (for example, name and DOB) and compare to the record on file.
• When appropriate, review a government ID to resolve ambiguities (for example, common names or recent name changes).
• For minors or proxies, verify the representative’s identity and legal authority (for example, parental status or power of attorney).

Remote and telehealth workflows

• On the phone: confirm two non-public data points (for example, DOB and patient account number or address). Avoid requesting full SSNs.
• Patient portals: require unique user IDs plus strong authentication (for example, two-factor or one-time codes).
• Video visits: compare stated identifiers with the chart and, if necessary, view a photo ID on camera.

Workforce access

• Issue unique user IDs; enforce strong passwords and multi-factor authentication for systems containing PHI.
• Apply role-based access and audit logs to ensure only authorized users view PHI after proper verification.

The goal is consistent, risk-based verification that fits the context while minimizing barriers to care.

De-Identification of PHI

De-identification removes the risk that data can identify an individual. Once PHI is de-identified appropriately, HIPAA no longer applies to that data. There are two permitted pathways.

Safe Harbor Method

• Remove all 18 identifiers listed above.
• Ensure you have no actual knowledge that the remaining data could identify the individual.

Expert Determination Method

• A qualified expert applies accepted statistical or scientific principles to determine that the re-identification risk is very small.
• The expert documents the methods and results, and you implement safeguards to maintain that low risk.

Identity verification confirms who a person is before disclosing PHI; PHI De-Identification changes the dataset so it is no longer PHI. The two concepts serve different purposes but often appear together in privacy programs.

HIPAA Compliance Requirements

Compliance spans policy, technology, and people. At a minimum, implement the following across your organization.

• Administrative safeguards: governance, designated privacy and security officers, training, sanctions, and documented Identity Verification Procedures.
• Risk analysis and risk management: assess threats to confidentiality, integrity, and availability; mitigate with prioritized controls.
• Technical safeguards: access control, unique user IDs, authentication, encryption, automatic logoff, and audit controls.
• Physical safeguards: facility access management and device/media controls to protect PHI.
• Minimum necessary: limit uses and disclosures to the least amount of PHI required for the purpose.
• Business Associate Agreements: ensure vendors protect PHI to HIPAA standards.
• Policies, procedures, and documentation: maintain records (including verification practices) for at least six years.
• Breach notification: follow incident response, risk assessment, and notification timelines when PHI is compromised.

National Provider Identifier Use

The National Provider Identifier (NPI) is a 10-digit identifier for health care providers used in standard HIPAA transactions. It streamlines claims and other administrative exchanges.

• An NPI identifies a provider; it is not a credential, password, or proof of identity.
• Do not use an NPI as a secret for authentication. Treat it as a public identifier and pair it with proper access controls when PHI is involved.
• Linking an NPI to patient data can create PHI; handle such combinations under HIPAA requirements.

Health Plan Identifier Role

Historically, a Health Plan Identifier (HPID) was envisioned for administrative transactions. Federal policy later rescinded adoption, so HPIDs are not required in standard HIPAA transactions today.

• Most payers continue to use trading-partner payer IDs and plan IDs defined by clearinghouses.
• Do not rely on HPIDs for patient verification; they identify plans, not individuals.

Enforcement and Penalties

The U.S. Department of Health and Human Services Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. The Department of Justice handles criminal violations, and state attorneys general may bring civil actions.

• Enforcement tools include investigations, corrective action plans, resolution agreements, and civil monetary penalties.
• Penalty tiers scale with culpability (for example, lack of knowledge vs. willful neglect) and are adjusted for inflation.
• Common findings include impermissible disclosures, failure to conduct risk analyses, inadequate access controls, and insufficient workforce training.

Conclusion

HIPAA does not mandate a specific number of identifiers for verification. Adopting two independent identifiers is a practical, risk-based best practice that protects privacy and supports accurate patient matching. Use the HIPAA 18 Identifiers for de-identification, apply robust safeguards across your program, and verify identity proportionally to the risk of disclosure.

FAQs.

What are the 18 HIPAA identifiers?

They are names; sub-state geography (including detailed address and most ZIP codes); all elements of dates except year plus ages over 89; phone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers; device identifiers; URLs; IP addresses; biometric identifiers (for example, finger and voice prints); full-face photos and comparable images; and any other unique identifying number, characteristic, or code.

How many identifiers are recommended to verify a patient’s identity?

HIPAA sets no fixed number. However, using two independent identifiers—commonly the patient’s full name and date of birth—is a widely accepted best practice for identity verification across in-person, phone, and telehealth workflows.

What is the Safe Harbor method for de-identifying PHI?

It is a PHI De-Identification approach that removes all 18 HIPAA identifiers and confirms there is no actual knowledge that the remaining information could identify the individual. Once done, the dataset is no longer PHI for HIPAA purposes.

Who enforces HIPAA compliance?

The HHS Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. The Department of Justice prosecutes criminal violations, and state attorneys general can bring civil actions for violations affecting residents of their states.