Navigating HIPAA: The Essential Guide to Patient Identifiers

HIPAA Patient Identifier Definitions

Under HIPAA, Protected Health Information (PHI) is health data that can identify an individual and is created, received, maintained, or transmitted by a Covered Entity or its Business Associate. “Patient identifiers” are the data elements that, alone or combined, can reasonably identify a person. When identifiers appear with health details, you have PHI and HIPAA Compliance requirements apply.

Identifiers fall into two broad categories. Direct identifiers (like names or Social Security numbers) point straight to a person. Indirect identifiers (like a full date of birth or detailed location) can identify someone when combined with other data. HIPAA provides a specific list of identifiers and clear rules for removing or limiting them.

Comprehensive List of 18 HIPAA Identifiers

1. Names.
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code (except the initial three digits of a ZIP when the combined area has more than 20,000 people; otherwise use 000).
3. All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death), and all ages over 89 and related date elements (including year), except when aggregated as age 90 or older.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographic images and comparable images.
18. Any other unique identifying number, characteristic, or code (except a permitted re-identification code not derived from personal information).

De-Identification Standards for PHI

The two permitted methods

• Expert Determination: A qualified expert uses accepted statistical or scientific principles to determine the risk of re-identification is very small, documents methods and results, and you apply those controls to maintain that low risk over time.
• Safe Harbor: You remove all 18 identifiers for the individual and for relatives, employers, or household members, and you have no actual knowledge that remaining information could identify the person.

Key practices to reduce re-identification risk

• Generalize or bin granular values (for example, provide age ranges rather than exact ages; use broader geographic areas).
• Limit date precision to year where required; avoid small cells and rare combinations that can single out individuals.
• Tokenize or hash internal IDs using non-derivable keys; keep keys separate and access-controlled.
• Continuously monitor for data linkability with other datasets and reassess risk when context or availability changes.

Re-identification codes

You may assign a random code to allow future linkage back to the original record, so long as the code is not derived from individual information, the mapping key is kept separately and securely, and you do not disclose the mechanism for re-identification.

Limited Data Set Specifications

A Limited Data Set (LDS) is PHI that excludes direct identifiers but may retain certain details useful for analysis. Because it is still PHI, you need a Data Use Agreement (DUA) and must meet HIPAA Compliance obligations.

What an LDS may include

• City, state, and ZIP code.
• All elements of dates (for example, dates of birth, admission, discharge, death; and service dates).
• Other characteristics or codes not listed as direct identifiers.

Direct identifiers that must be removed from an LDS

• Names; full postal address other than city, state, ZIP.
• Telephone and fax numbers; email addresses.
• Social Security, medical record, health plan beneficiary, and account numbers.
• Certificate/license numbers; vehicle and device identifiers/serials (including license plates).
• Web URLs and IP addresses.
• Biometric identifiers (for example, finger or voice prints).
• Full-face photographs and comparable images.

Permitted purposes and Data Use Agreement essentials

• Permitted uses: research, public health, and health care operations (not marketing or most sales).
• DUA must: specify permitted uses and recipients; require safeguards; prohibit re-identification or contact with individuals; mandate reporting of improper uses/disclosures; bind agents/subcontractors; and require return or destruction of the data when feasible.

Covered Entities and Business Associates

A Covered Entity is a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically in a HIPAA standard transaction. If you fit one of these categories, HIPAA applies to your handling of PHI.

A Business Associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity (or another Business Associate). This includes vendors like cloud service providers that store PHI, data analytics firms, and billing services; it excludes mere conduits that do not persistently store information.

Covered Entities must execute a Business Associate Agreement (BAA) requiring appropriate safeguards, subcontractor flow-downs, breach reporting, and limits on use and disclosure. Business Associates assume direct HIPAA obligations for security, use/disclosure, and PHI Breach Notification.

PHI Breach Notification Requirements

A “breach” is an impermissible use or disclosure that compromises the security or privacy of PHI. It is presumed a breach unless, after a documented four-factor risk assessment, you determine there is a low probability that the PHI was compromised.

Risk assessment factors

• Nature and extent of PHI involved (types of identifiers and risk of re-identification).
• Unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated.

Who must be notified and when

• Individuals: without unreasonable delay and no later than 60 calendar days from discovery.
• Media: within 60 days if a breach involves 500 or more residents of a state or jurisdiction.
• HHS: within 60 days for breaches affecting 500 or more individuals; for fewer than 500, no later than 60 days after the end of the calendar year.
• Business Associates: must notify the Covered Entity without unreasonable delay (contract may set shorter deadlines) and provide the information needed for notifications.

Content of the notice

• What happened (including dates and discovery date).
• What information was involved.
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact methods for questions.

Exceptions and “secured PHI”

• Unintentional access by an authorized workforce member in good faith, inadvertent disclosure to an authorized recipient, and disclosures where the recipient could not reasonably retain the information may not be breaches.
• PHI encrypted to established standards is considered “secured” and not subject to PHI Breach Notification.

Employment Records and HIPAA Exclusions

Employment records held by a Covered Entity in its role as an employer are not PHI. Examples include FMLA forms stored by HR, workplace injury logs, drug test results maintained for employment purposes, or vaccination attestation collected by HR. These records may be regulated by other laws but are outside HIPAA.

Context matters: if a health care provider treats an employee as a patient, the provider’s clinical records are PHI. If the employer later receives a copy for HR purposes, the copy in the employer’s HR file is an employment record, not PHI.

Conclusion

To manage HIPAA Compliance confidently, identify whether data elements are patient identifiers, choose the correct path (De-Identification or Limited Data Set with a DUA), confirm your role as a Covered Entity or Business Associate, and be ready to execute PHI Breach Notification when required. Clear governance over employment records versus PHI reduces risk and keeps your program defensible.

FAQs

What Are the 18 HIPAA Patient Identifiers?

The 18 identifiers are: names; geographic subdivisions smaller than a state (with the three-digit ZIP rule); all elements of dates except year and ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serials (including license plates); device identifiers and serials; web URLs; IP addresses; biometric identifiers (for example, finger or voice prints); full-face photos and comparable images; and any other unique identifying number, characteristic, or code (except a permitted re-identification code).

How Is PHI De-Identified Under HIPAA?

Use one of two methods: (1) Expert Determination, where a qualified expert documents that the re-identification risk is very small under accepted techniques; or (2) Safe Harbor, where you remove all 18 identifiers and have no actual knowledge that remaining data can identify someone. You may keep a non-derivable re-identification code separately to link records later.

What Entities Are Considered Covered Entities?

Covered Entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard HIPAA transactions (such as claims or eligibility checks). Vendors that handle PHI for them are typically Business Associates and must sign BAAs and meet HIPAA obligations.

When Must a PHI Breach Be Reported?

Notify affected individuals without unreasonable delay and no later than 60 days from discovery. For incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media within 60 days. Report to HHS within 60 days for breaches of 500+ individuals, and for smaller breaches by 60 days after the calendar year ends.