List of All 18 HIPAA Identifiers: What Counts as PHI

Knowing exactly what counts as Protected Health Information helps you avoid accidental disclosure and maintain Health Information Privacy. Under the HIPAA Privacy Rule administered by the U.S. Department of Health and Human Services, the “Safe Harbor” standard treats the following 18 data elements as identifiers. If any are present with health information, the data is PHI unless properly de-identified.

HIPAA recognizes two De-identification Methods: Safe Harbor (remove all 18 identifiers and apply the ZIP code/age rules) and Expert Determination (a qualified expert certifies a very small re-identification risk, often using Data Masking Techniques such as generalization, suppression, tokenization, and differential privacy). Use the list below to structure PHI Identifier Compliance in your workflows.

Names and Geographic Subdivisions

Names and fine-grained locations can single out an individual quickly, especially when paired with health data.

• Identifier 1 — Names: Full names and any part of a name that can identify a person (e.g., first/last, maiden, aliases, household member names).
• Identifier 2 — Geographic subdivisions smaller than a state: Street address, apartment, city, county, precinct, and ZIP code. A limited ZIP exception allows the first three digits only when the aggregate population of all ZIPs sharing those three digits exceeds 20,000; otherwise those digits must be replaced with 000. Equivalent geocodes are also included.

De-identification tips

• Remove names entirely or replace them with randomly generated study IDs (never derived from the person’s data).
• Generalize locations to the state level or permitted three-digit ZIPs; otherwise suppress them. These Data Masking Techniques reduce re-identification risk.

Date Elements and Age Restrictions

Precise dates can re-identify individuals, especially for rare procedures or events.

• Identifier 3 — All elements of dates (except year): Remove month, day, and any finer granularity (e.g., hour, timestamp) for dates directly related to an individual—birth, admission, discharge, death, visit, specimen collection, and service dates. Ages over 89 (and related year) must be grouped as “90 or older.”

De-identification tips

• Under Safe Harbor, keep only the year; remove day/month/time. For ages, bin into ranges and aggregate ≥90.
• Under Expert Determination, controlled date shifting or coarsening (e.g., quarter or year) may be justified when a qualified expert certifies low risk.

Contact Information Identifiers

Direct contact channels can immediately tie records to a specific person.

• Identifier 4 — Telephone numbers.
• Identifier 5 — Fax numbers.
• Identifier 6 — Email addresses.

Compliance tips

• Exclude phone/fax/email from analytic datasets. If operationally necessary, store them in a separate, access-controlled system and reference via non-identifying tokens.

Government and Plan Numbers

Government-issued and plan identifiers are highly sensitive and uniquely identifying.

• Identifier 7 — Social Security numbers.
• Identifier 9 — Health plan beneficiary numbers.
• Identifier 11 — Certificate/license numbers: Driver’s license, professional license, or other government-issued certificates.

Compliance tips

• Do not store these values in research or analytics files. Use one-way tokens for linkage, and keep crosswalks in a segregated, encrypted vault.

Device and Vehicle Identifiers

Serials and plates can point to specific people or households.

• Identifier 12 — Vehicle identifiers and serial numbers, including license plate numbers.
• Identifier 13 — Device identifiers and serial numbers, such as implantable device serials or equipment IDs.

Compliance tips

• Generalize to model or category (e.g., “implantable cardiac device”) and remove serials. Treat photographs of plates or labels as PHI if readable.

Biometric and Image Identifiers

These markers are inherently unique and difficult to mask without destroying utility.

• Identifier 16 — Biometric identifiers, including finger and voice prints (and commonly iris/retina scans, palm/vein patterns, facial geometry).
• Identifier 17 — Full-face photographic images and comparable images, including video frames revealing the full face.

Compliance tips

• Under Safe Harbor, exclude full-face images and biometrics. Cropping and irreversible blurring may be considered only within Expert Determination with documented low risk.

Unique Identifying Numbers and Codes

Less obvious fields can still single out a person when combined with health data.

• Identifier 8 — Medical record numbers.
• Identifier 10 — Account numbers, such as billing or bank accounts.
• Identifier 14 — Web URLs that point to personal pages or records.
• Identifier 15 — IP address numbers.
• Identifier 18 — Any other unique identifying number, characteristic, or code (except a re-identification code kept separately and not derived from the individual’s data).

De-identification tips

• Replace record/account numbers, URLs, and IPs with random tokens. Maintain the mapping in a separate system with strict access controls and auditing to support PHI Identifier Compliance.

In practice, you protect Health Information Privacy by inventorying these 18 identifiers, minimizing their use, and applying the appropriate De-identification Methods. Safe Harbor delivers clear rules; Expert Determination can preserve more data utility when vetted by a qualified expert and supported by robust Data Masking Techniques and governance.

FAQs

What are the 18 HIPAA identifiers?

1. Names
2. Geographic subdivisions smaller than a state (street, city, county, precinct, ZIP; limited three-digit ZIP exception)
3. All elements of dates (except year) for dates directly related to an individual; ages over 89 aggregated as 90+
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. IP address numbers
16. Biometric identifiers (e.g., finger and voice prints)
17. Full-face photographic images and comparable images
18. Any other unique identifying number, characteristic, or code (with specific limits on re-identification codes)

How does HIPAA define Protected Health Information?

PHI is individually identifiable health information—held or transmitted by a covered entity or business associate in any form—that relates to a person’s past, present, or future physical or mental health or condition, health care provision, or payment for care, and that identifies the individual or could reasonably be used to identify them.

Why are geographic subdivisions considered PHI?

Fine-grained locations can pinpoint where a person lives or received care, which makes it easier to link records back to them. HIPAA therefore classifies all geographic subdivisions smaller than a state as identifiers, allowing only three-digit ZIPs when the aggregated population for those three digits exceeds 20,000; otherwise the digits must be replaced with 000.

How can organizations ensure compliance with HIPAA identifiers?

Build a program that inventories data elements, strips or masks the 18 identifiers, and documents your chosen approach (Safe Harbor or Expert Determination). Use Data Masking Techniques (generalization, suppression, tokenization), least-necessary access, encryption, auditing, workforce training, vendor due diligence, and ongoing risk assessments to sustain HIPAA Privacy Rule compliance.