The 18 PHI Identifiers

When it comes to protecting patient privacy, understanding what qualifies as Protected Health Information (PHI) is absolutely essential. The Health Insurance Portability and Accountability Act (HIPAA) lays out clear guidelines to keep sensitive information out of the wrong hands. At the heart of these protections is a definitive list known as the 18 PHI identifiers — specific data points that, when connected to an individual, require strict safeguarding.

Why does this matter? If any of these identifiers—such as names, geographic subdivisions, dates, phone numbers, email addresses, SSNs, or biometric data—are not handled properly, it can lead to privacy breaches, identity theft, or even healthcare fraud. To minimize risk, HIPAA introduced two de-identification standards: the Safe Harbor method (removing all 18 identifiers) and Expert Determination (certifying data can’t reasonably identify someone). Knowing exactly what these identifiers are is the first step in keeping information secure.

In the sections ahead, we’ll break down each of the 18 PHI identifiers, explain why they’re sensitive, and offer practical tips for ensuring compliance. Whether you’re a healthcare professional, an IT specialist, or just want to better understand how your data is protected, this guide will give you a clear, concise roadmap to PHI privacy under HIPAA.

Names

Names are often the very first thing that comes to mind when we think about personal information—after all, they are fundamental to our identity. In the context of HIPAA and the 18 PHI identifiers, a name is much more than just a label; it’s a critical link in the chain of data points that can be used to identify a patient within a healthcare setting.

Under HIPAA, names—first, last, middle, maiden, or any nickname—are protected as PHI when they appear in connection with health information. The logic is simple: even by itself, a name can sometimes be enough to identify a person, and when paired with other data (like geographic subdivisions or dates), the risk increases significantly.

It’s important to recognize that context is everything. For example, your name scribbled on a coffee cup at a hospital café isn’t PHI. However, your name included in a medical record, appointment log, or even a health insurance form is strictly protected. This is because the Safe Harbor method—one of the two main HIPAA de-identification standards—explicitly requires the removal of names from datasets before information can be considered de-identified. On the other hand, the Expert Determination method involves a statistical analysis by a qualified expert to ensure that the risk of re-identification is very small, even if names are removed.

To clarify, the following types of names fall under PHI protection when associated with health information:

• Full names (first and last)
• Initials or nicknames that can specifically identify a person
• Maiden names, aliases, or former names
• Name of relatives, employers, or household members if used in a way that could link back to the individual

Why is this level of protection necessary? Names are often all that’s needed to begin piecing together someone’s identity, especially when combined with other PHI identifiers like geographic subdivisions, dates, phone numbers, or email addresses. In the event of a data breach, even seemingly innocuous details can quickly snowball into identity theft or fraud, emphasizing the need for strict controls over this identifier.

For healthcare organizations and their business associates, knowing when and how to safeguard names is non-negotiable. It’s one of the simplest—but most important—steps in protecting patient confidentiality, supporting compliance, and maintaining trust. When in doubt, it’s always best to treat names with the highest level of care, following HIPAA’s Safe Harbor and Expert Determination guidelines to the letter.

All geographic subdivisions smaller than a state

All geographic subdivisions smaller than a state are considered PHI identifiers under HIPAA, and for good reason. These details—everything from your street address to your ZIP code—can be used to pinpoint where a person lives, receives care, or works. When combined with other identifiers like names, dates, or phone numbers, geographic information can quickly lead to the identification of an individual, making it a key risk factor for privacy breaches.

HIPAA specifically lists the following as geographic subdivisions smaller than a state:

• Street address
• City or town
• County or precinct
• Zip code (with special restrictions if the area contains fewer than 20,000 people)
• Any other geographic codes

The Safe Harbor method—one of HIPAA’s two approved de-identification standards—requires removing all these details before health data can be shared for research, analytics, or other secondary uses without patient authorization. Under Safe Harbor, only the first three digits of a ZIP code may be used, and even then, only if there are more than 20,000 people in that geographic region. If not, HIPAA mandates replacing the ZIP code with 000 to prevent re-identification.

The Expert Determination method offers an alternative, allowing covered entities to share data if a qualified expert determines, through statistical or scientific principles, that the risk of identifying individuals is “very small.” In practice, this means careful consideration of how even small pieces of geographic data—when combined with other PHI like dates of birth, SSNs, or device IDs—might make someone’s identity discoverable.

We’ve all seen how easily an address or ZIP code can narrow down a search. That’s why HIPAA takes “all geographic subdivisions smaller than a state” so seriously as a PHI identifier. Even without a name or phone number, these data points hold the power to reveal a lot about someone—especially when matched with other PHI like MRNs, email addresses, biometric identifiers, or full-face photos.

Practical tip: If you work with healthcare data, always check for hidden geographic clues in your records and scrub them according to Safe Harbor or consult an expert if in doubt. It’s better to be cautious than to risk exposing someone’s privacy through a seemingly harmless detail.

All elements of dates (except year) for dates related to an individual and ages 90 or older

All elements of dates (except year) for dates related to an individual, plus ages 90 or older, are critical PHI identifiers under HIPAA. This might sound technical at first, but let’s break it down together so it’s easy to grasp and apply in real-life situations.

Any specific date associated with a patient—whether it’s a birthday, hospital admission, discharge, surgery, or even a test result—can reveal a lot more than we might think. If someone has access to these details, especially in combination with other identifiers like names, phone numbers, or MRNs, it becomes much easier to pinpoint a person’s identity. That’s exactly why these dates are protected.

But why does HIPAA exclude just the year? The logic is simple: removing the month and day makes the data less precise and thus less likely to identify someone uniquely. For example, “May 12, 1978” is much more specific than simply “1978.” The more specific the date, the higher the risk of re-identification—especially in healthcare records where context is everything.

Now, let’s talk about ages—specifically, those 90 or older. If someone is 92 years old and their date of birth is disclosed, it narrows the pool of possible individuals significantly, especially in smaller communities or rare medical studies. That’s why HIPAA requires these ages to be handled with extra care. Instead of listing an exact age, organizations group everyone aged 90 or above into a single category: “90 or older.” This small adjustment helps maintain anonymity.

Here’s how this PHI identifier plays out under HIPAA’s Safe Harbor and Expert Determination methods:

• Safe Harbor: Covered entities must remove all date elements (other than year) related to an individual—including birth date, admission and discharge dates, date of death, and any ages over 89—to meet de-identification requirements.
• Expert Determination: A qualified expert uses statistical analysis to certify that the risk of re-identification is “very small,” but dates and ages still get special scrutiny because of their potential to reveal identities.

In short, dates and ages aren’t just numbers—they’re powerful PHI identifiers that must be handled with care. By removing or modifying these elements according to HIPAA rules, we reduce the risk that someone’s sensitive health information could be traced back to them.

If you’re ever unsure whether a date or age qualifies as PHI, remember: when in doubt, leave it out or group it in a way that protects privacy. This is one of the small but crucial ways we can all contribute to keeping health information safe and compliant.

Telephone numbers

Telephone numbers are one of the most straightforward yet significant PHI identifiers under HIPAA. If a phone number is linked to an individual in a healthcare context, it becomes protected information and must be handled with care. This applies to any number recorded or used by a healthcare provider, health plan, or their business associates.

Why are telephone numbers so important? Even though a phone number alone may not seem highly sensitive, it can be used in combination with other identifiers—like names, geographic subdivisions, or dates—to trace information back to a specific patient. This risk of re-identification is precisely why HIPAA includes phone numbers in its list of 18 PHI identifiers.

HIPAA’s Safe Harbor method for de-identification requires the complete removal of all phone numbers from datasets before information can be considered truly “de-identified.” This means not only landlines but also mobile numbers, work numbers, and any alternative contact numbers must be stripped out. The presence of a phone number, even if other details are masked, is enough to keep a record classified as PHI.

Alternatively, the Expert Determination method relies on a qualified expert to assess the risk of re-identification. Even here, telephone numbers typically remain high-risk identifiers and must be managed with rigorous controls, especially when they appear alongside other sensitive data like email addresses, SSNs, MRNs, or device IDs.

Let’s make this practical. If you’re working with patient information—maybe as a provider, an administrator, or even in IT—always treat telephone numbers with the same strict protocols you use for other obvious identifiers. Encrypt them, limit access, and never share them unless it’s absolutely necessary and permitted by law.

• Never include phone numbers in unencrypted emails or insecure files.
• Be cautious about verbal disclosures, especially in shared workspaces or public areas.
• Don’t store phone numbers with other PHI identifiers unless required for care or operations.

In summary, telephone numbers may seem harmless, but under HIPAA, they’re a critical part of the protected puzzle. By understanding their role among the 18 PHI identifiers and following Safe Harbor or Expert Determination guidelines, we help ensure patient privacy stays intact—and avoid costly compliance headaches along the way.

Fax numbers

Fax numbers may seem like a relic of a bygone era, but they remain a surprisingly important piece of the PHI identifiers puzzle. Under HIPAA, a patient’s fax number is classified as Protected Health Information whenever it can be linked to a specific individual and their medical details. Even if your healthcare organization has gone digital, many providers and smaller practices still rely on fax machines for transmitting sensitive health records, referrals, and insurance information.

Why does this matter? Faxed documents often contain a wealth of personal data—names, dates, MRNs, and even insurance details. If a fax number falls into the wrong hands, it can open the door to unauthorized access or disclosure of that information. This is why both the Safe Harbor and Expert Determination methods for de-identification under HIPAA require the complete removal of fax numbers before any health data can be considered de-identified.

Here’s what makes fax numbers especially sensitive:

• Direct Link to Individual: A fax number assigned to a patient or their household can be used to identify them, particularly when combined with other PHI identifiers like names or addresses.
• Gateway for Information: If intercepted, fax transmissions may expose entire records—including SSN, device IDs, or full-face photos—to unauthorized viewers.
• Harder to Track: Unlike emails or secure patient portals, monitoring the delivery and access logs for a faxed document is often challenging, increasing the risk of unintentional disclosures.

In practical terms, you should treat fax numbers with the same level of security as phone numbers and email addresses. This means:

• Never including fax numbers in de-identified records unless using the Expert Determination method and confirming re-identification risk is very low.
• Using cover sheets and secure lines when transmitting PHI via fax.
• Ensuring access to faxed PHI is strictly limited to authorized personnel only.

Bottom line: Fax numbers might feel old-fashioned, but they remain a critical PHI identifier under HIPAA regulations. Keeping them secure isn’t just about compliance—it’s about respecting patient privacy in every format, old and new.

Email addresses

Email addresses may seem like a common piece of contact information, but in the context of healthcare, they are considered one of the 18 PHI identifiers under HIPAA. This means that when an email address is linked to a patient’s medical record, appointment schedules, or any health-related data, it becomes protected and subject to strict privacy requirements.

Why does an email address hold such significance? It’s not just about avoiding unwanted messages. When combined with other information—such as names, dates, or medical record numbers (MRN)—an email address can directly or indirectly reveal an individual’s identity. This is precisely why HIPAA includes email addresses among the details that must be safeguarded against unauthorized access.

To achieve HIPAA compliance, organizations must use specific methods, such as the Safe Harbor de-identification standard. This process requires that email addresses, among other PHI identifiers, be removed from datasets before any information is shared or disclosed. Alternatively, Expert Determination can be used, where a qualified expert confirms that the risk of identifying individuals is very small—even if some data remains.

Practical advice for both patients and healthcare staff:

• Never share patient email addresses outside secure, authorized channels.
• Encrypt emails that contain health information to prevent interception by unauthorized parties.
• Be cautious of phishing attempts that target healthcare providers by disguising themselves as legitimate communication.
• Regularly review access controls to ensure only necessary staff can view or use patient email addresses.

Remember, something as simple as an email address—when paired with other data—can compromise patient privacy. That’s why HIPAA’s inclusion of email in the PHI identifiers list is both logical and necessary. By understanding and respecting this requirement, we help protect not just information, but individuals themselves.

Social Security numbers

Social Security numbers (SSNs) are among the most sensitive PHI identifiers protected under HIPAA. These nine-digit numbers are assigned to individuals as a unique identifier for everything from employment and taxes to healthcare and government benefits. Within the healthcare context, an SSN directly links to a patient’s entire medical and financial history, which is why its protection is non-negotiable.

Why are SSNs so critical? Simply put, they’re a master key for identity theft. If a malicious actor gets access to a patient’s SSN, they can fraudulently open credit cards, apply for loans, or even access medical services in the patient’s name. That’s not just a violation of privacy—it can result in financial loss, credit damage, and years of stress for the affected individual.

HIPAA recognizes the potential for harm and explicitly lists SSNs as one of the 18 PHI identifiers. To ensure compliance, organizations must remove or de-identify SSNs when sharing data under the Safe Harbor method. This means that any health-related information that includes an SSN cannot be considered de-identified until the SSN is completely removed. For cases where data is needed for research or analytics, the Expert Determination method can be employed, but only after an expert has confirmed that the risk of re-identification is “very small.”

How can we protect SSNs in practice?

• Limit access: Only authorized personnel should be able to view or use SSNs, and only when absolutely necessary.
• Encrypt data: SSNs stored electronically should always be encrypted, whether at rest or in transit.
• Educate staff: Regular training on handling sensitive PHI identifiers, like SSNs, is crucial for reducing accidental exposure.
• Avoid unnecessary use: Never use an SSN as a primary patient identifier if another, less sensitive number—such as a medical record number (MRN)—can be used instead.

Remember, SSNs are just one of several key identifiers—names, dates, phone, email, device IDs, IP address, and more all require the same level of care. By treating SSNs with the seriousness they deserve, we help protect not only individual patient privacy but also the integrity of our entire healthcare system.

Medical record numbers

Medical record numbers (MRNs) are one of the core PHI identifiers that HIPAA sets out to protect. An MRN is a unique code assigned to each patient by a healthcare provider or system, used to track all medical information, treatment history, and encounters across the continuum of care. While these numbers don’t include overtly personal details like your name or Social Security Number, they serve as a critical key that links directly to your entire health history.

Why are medical record numbers so sensitive? Unlike general account numbers, MRNs are deeply embedded in healthcare databases and connect every aspect of a patient’s medical profile—including diagnoses, medications, test results, and billing information. If someone gains unauthorized access to your MRN, they could potentially piece together a comprehensive view of your private health data. This is why HIPAA’s Safe Harbor method requires the removal of MRNs when de-identifying data, and why Expert Determination methods often focus on how MRNs might be re-identified if combined with other data points like names, dates, or device IDs.

It’s important to remember that an MRN isn’t just another number—it’s a gateway to a patient’s most personal information. That’s why healthcare providers and their business associates are required to:

• Limit access to MRNs strictly to authorized personnel
• Store and transmit MRNs securely using encryption and strong authentication
• Remove or mask MRNs in datasets used for research, analytics, or public reporting unless patient consent is obtained or de-identification standards are fully met

Even though MRNs alone may not reveal your identity, when combined with other PHI identifiers like names, dates, or device IDs, the risk of re-identification multiplies dramatically. That’s why both Safe Harbor and Expert Determination approaches treat MRNs with such caution—especially in an era of advanced data analytics and increasing cyber threats.

Ultimately, safeguarding medical record numbers is a vital step in protecting patient privacy, maintaining trust in the healthcare system, and ensuring compliance with HIPAA. By being mindful of how MRNs are handled, we help keep sensitive health information exactly where it belongs—private and secure.

Health plan beneficiary numbers

Health plan beneficiary numbers are a crucial entry on the list of PHI identifiers, and for good reason. These unique numbers are assigned by health insurance companies or government health programs to identify individuals who receive benefits or services. While they may seem like just another string of numbers, their connection to a person’s medical coverage makes them especially sensitive.

Why do health plan beneficiary numbers matter so much? They serve as a direct link between you and your health coverage. If someone gains unauthorized access to your beneficiary number, they could potentially:

• File fraudulent insurance claims in your name
• Access your medical and billing records
• Obtain prescription drugs or medical services illegally

In the hands of cybercriminals or identity thieves, a health plan beneficiary number can open the door to a range of privacy risks and financial damages—often without your immediate knowledge. That’s why HIPAA’s Safe Harbor method specifically requires the removal of these numbers when de-identifying data, and the Expert Determination method demands a rigorous risk assessment to ensure re-identification isn’t possible.

It’s important to remember that a health plan beneficiary number is not interchangeable with just any account or policy number. It’s specifically tied to the benefits you receive under a particular health plan, whether that’s through private insurance, Medicare, Medicaid, or another program. This makes it a prime target for fraud schemes that aim to exploit healthcare systems and patient identities.

By protecting health plan beneficiary numbers, we’re not just following a regulatory checklist; we’re actively safeguarding the trust, privacy, and security that patients expect from their healthcare providers. Never share your beneficiary number unless it’s absolutely necessary and you know the recipient is authorized to handle PHI securely.

Understanding how each PHI identifier—including health plan beneficiary numbers—fits into the broader compliance landscape helps all of us keep sensitive information protected, foster trust, and uphold the standards set by HIPAA.

Account numbers

Account numbers might seem like just a string of digits, but in the context of PHI identifiers, they carry significant risk when it comes to patient privacy. Under HIPAA’s Safe Harbor method, all account numbers directly tied to an individual—be it for health plans, billing, or even patient portals—must be removed or protected to prevent any possibility of re-identification. These numbers act as a gateway, connecting various forms of sensitive data like names, dates, or even full-face photos with a specific patient’s identity.

Imagine someone getting unauthorized access to your health plan or billing account number. Even if other details, such as your Social Security Number (SSN) or Medical Record Number (MRN), are kept separate, the account number alone can be enough to piece together your identity—especially when combined with other data points like phone, email, or device IDs. This risk is why account numbers are a core element of PHI and must be handled with the utmost care.

When organizations use the Expert Determination method for de-identification, these numbers are carefully analyzed for re-identification risk, often resulting in them being masked or replaced to ensure compliance. The key takeaway: any account number that can be linked to health information or services is considered PHI and must be protected accordingly.

• Examples include:
• Health insurance account numbers
• Patient billing account numbers
• Prescription benefit account numbers
• Online patient portal account numbers

Protecting account numbers isn’t just a regulatory requirement—it’s an essential part of safeguarding your personal and financial wellbeing. These identifiers can be a target for cybercriminals, who may use them in tandem with other PHI identifiers like IP address or email to gain unauthorized access to your medical or financial information. That’s why, whether you are a healthcare provider or a patient, staying vigilant about how your account numbers are stored and shared is a key part of maintaining privacy in today’s digital healthcare landscape.

Certificate/license numbers

Certificate and license numbers are a crucial entry on the list of PHI identifiers under HIPAA. These numbers can include anything from a driver’s license, professional license, or state-issued certificate—essentially, any unique code or number assigned to you for official identification. While these may seem mundane at first glance, they play a powerful role in linking your personal identity to your health records and other private data.

Why do certificate and license numbers require special attention? When combined with other PHI identifiers like names, dates, or addresses, they provide a direct path to sensitive personal information. For example, a medical board license number might seem harmless on its own, but together with an email address or phone number, it becomes a building block for identity theft or unauthorized access to health data.

Let’s break down why certificate/license numbers are treated as PHI under both Safe Harbor and Expert Determination de-identification standards:

• Uniqueness: These numbers are issued to a single individual and aren’t reused, providing a direct link to your identity.
• Authentication: Many organizations use certificate or license numbers to verify identity during account recovery, credentialing, or access to services.
• Fraud Risk: If obtained by someone with malicious intent, these identifiers can be used alongside other PHI—such as SSN, MRN, device IDs, or even biometric data—to falsely represent you or to access your healthcare or financial information.

HIPAA’s Safe Harbor method specifically requires the removal of certificate/license numbers from data sets before information is considered de-identified. Meanwhile, under the Expert Determination standard, a qualified statistician must determine that the risk of re-identifying individuals using these numbers is very small before data can be shared outside of protected channels.

In practical terms, healthcare providers, insurers, and their business associates must ensure these numbers are tightly controlled. Never share your certificate or license numbers unless it’s necessary and with a trusted, authorized party. And if you’re handling PHI, always include certificate/license numbers in your risk assessments and data protection policies—just like you would with IP address, full-face photos, phone, email, or any other PHI identifiers.

In summary, certificate/license numbers may seem routine, but their potential to unlock other sensitive information makes them a priority for strong security and privacy controls under HIPAA. By recognizing their importance, we help keep every link in the PHI chain secure and uphold the trust at the core of healthcare.

Vehicle identifiers and serial numbers

Vehicle identifiers and serial numbers are often overlooked as sensitive data, but in the context of PHI identifiers, they play a critical role in protecting patient privacy. Under HIPAA’s Safe Harbor method, elements like license plate numbers, vehicle identification numbers (VINs), and serial numbers must be removed from health records before data is considered de-identified. This is because, when combined with other information—such as names, dates, or addresses—vehicle identifiers can directly or indirectly reveal a patient’s identity.

Why are vehicle identifiers so significant? Imagine a situation where a patient’s medical records reference the specific vehicle they arrived in or an accident report lists their license plate. If this data is disclosed without proper safeguards, anyone with access could potentially connect the dots and identify the individual. This is especially risky in smaller communities or unique vehicle situations.

When using the Safe Harbor method to de-identify data, all vehicle-related identifiers must be stripped out. Alternatively, the Expert Determination method allows a qualified expert to assess the risk of re-identification, which might occasionally allow such data to remain if the risk is “very small”—but this requires formal documentation and a well-established process.

Here are the types of vehicle identifiers that must be protected:

• License plate numbers
• Vehicle identification numbers (VINs)
• Serial numbers of vehicles or other devices associated with the patient

Practical tip: If you handle health records, always check for hidden vehicle identifiers, especially in scanned documents or narrative notes. Even a mention of a unique car model combined with a partial license plate could present a privacy risk.

By staying vigilant about all PHI identifiers—including vehicle and device IDs—we help maintain the trust our patients place in us and ensure compliance with HIPAA. Remember, protecting even the smallest data points is central to patient privacy and data security.

Device identifiers and serial numbers

Device identifiers and serial numbers are often overlooked, but they play a significant role as PHI identifiers under HIPAA. These are unique numbers assigned to medical equipment or personal devices used in a healthcare setting, such as pacemakers, insulin pumps, or even smartphones and tablets that store health information. When these device IDs or serial numbers are linked to an individual’s health information, they become part of the protected data landscape.

Why are these numbers considered sensitive? Device identifiers can directly connect a piece of equipment to a specific patient, revealing information about their treatment or medical status. For instance, if someone knows the serial number of a patient’s heart monitor, they could potentially trace it back to the individual, gaining unauthorized access to details about their health or procedure history.

HIPAA provides two main pathways to de-identify PHI and reduce risk:

• Safe Harbor: This method requires the complete removal of all 18 PHI identifiers, including device identifiers and serial numbers. Only after these elements are stripped can information be considered truly de-identified.
• Expert Determination: A qualified expert uses statistical and scientific methods to ensure that the likelihood of identifying an individual is very small. In this case, device IDs may be masked or altered to prevent re-identification.

Let’s make this practical. If your electronic health record system logs the serial number of a device used during surgery, that number must be protected just like your name, SSN, or MRN. This means it shouldn’t be shared, published, or included in datasets unless it’s been de-identified according to HIPAA standards.

We encourage everyone working in healthcare to treat device identifiers with the same caution as more familiar data points, like phone numbers, email addresses, or full-face photos. Even something that seems technical or obscure, like a device serial number, can be a gateway to a patient’s private world if mishandled.

Bottom line: Always account for device IDs and serial numbers when assessing PHI. By doing so, you’re not only following the letter of the law—you’re upholding the spirit of patient privacy and trust.

Web URLs

Web URLs, or Uniform Resource Locators, may not immediately seem sensitive, but they are a crucial PHI identifier under HIPAA. In the healthcare context, a URL can directly or indirectly point to an individual’s medical record, test results, or private communications within a patient portal. Even if a URL doesn’t explicitly include a name or medical record number (MRN), it can still be tied back to a specific person, especially when combined with other data like dates, device IDs, or IP addresses.

Why are Web URLs considered PHI? It’s all about traceability. Many electronic health record systems utilize URLs that embed unique identifiers, such as session tokens or patient IDs. For example, a link like www.healthsystem.com/patient/12345/results reveals a pathway to protected health information. If someone gains access to that URL, they could potentially see confidential details about the patient’s health status, treatment, or billing information.

HIPAA’s Safe Harbor method requires removing or de-identifying URLs from datasets before they are shared or used for non-treatment purposes. Similarly, the Expert Determination method involves having a qualified expert certify that the risk of re-identification from URLs and related data is very low. Both approaches aim to prevent any accidental exposure of PHI identifiers via web addresses.

Here’s what you need to watch out for with URLs in healthcare:

• Direct links to patient records or documents.
• URLs containing query strings with names, MRNs, or dates of birth.
• Embedded codes or session IDs that map back to individual patients.
• Links shared in emails or text messages that could be intercepted.

Practical advice: When handling or sharing electronic health information, always double-check that web addresses do not contain any PHI identifiers. If your work involves exporting or analyzing healthcare data, scrub URLs of any unique codes or personal references. Rely on secure, encrypted communication channels and access controls to further safeguard this information.

Remember, protecting URLs is just as important as safeguarding phone numbers, email addresses, or full-face photos. Every detail matters when it comes to upholding patient privacy and staying compliant with HIPAA’s rigorous standards.

IP addresses

IP addresses are a critical component of the 18 PHI identifiers because they serve as digital fingerprints, uniquely identifying devices that access healthcare information online. Whenever you use a computer, smartphone, or tablet to log into a patient portal, communicate with a provider, or access health records, your device’s IP address is logged as part of the interaction. This means that, in a healthcare context, an IP address can often be traced back to a specific individual, especially when combined with other PHI like names, dates, or email addresses.

Why are IP addresses considered PHI under HIPAA? The answer comes down to identifiability. While an IP address alone may seem harmless, it can be linked with other data to reveal someone’s location, device history, or even infer health behaviors. For example, if a specific IP address repeatedly accesses a cancer clinic’s portal, it’s not hard to guess that the user has a relationship with that clinic. Because of this potential for re-identification, HIPAA mandates that covered entities treat IP addresses with the same care as other PHI identifiers like SSNs, MRNs, and phone numbers.

HIPAA provides two primary pathways to de-identify PHI, including IP addresses:

• Safe Harbor Method: This requires the removal of all 18 PHI identifiers, including IP addresses, from a dataset before it can be considered de-identified and safe to use or share for research or other purposes.
• Expert Determination Method: Here, a statistical expert analyzes the data and confirms that the risk of re-identifying individuals is very small, even if some identifiers like IP addresses remain in a limited way.

Practical Advice: If you handle or process healthcare data, be mindful that IP addresses are not just technical details—they are regulated identifiers. Logging, storing, or sharing IP addresses without proper safeguards or authorization can trigger HIPAA violations. Always evaluate your technology systems and workflows to ensure IP addresses are protected, especially when combined with other sensitive information such as device IDs, full-face photos, or biometric data.

In our increasingly digital world, safeguarding IP addresses is not just a best practice—it's a HIPAA requirement. By understanding the risks and following established de-identification methods, we can keep patient information secure and maintain trust in our healthcare systems.

Biometric identifiers

Biometric identifiers have quickly become one of the most sensitive and technologically advanced types of PHI identifiers recognized by HIPAA. In the context of healthcare, these include measurable biological or behavioral characteristics that can be used to uniquely identify an individual—think fingerprints, voiceprints, retinal scans, and even facial recognition data.

What makes biometric identifiers especially important is their permanence. Unlike a password or a phone number, you can't just change your fingerprint or your voice pattern if your data is compromised. This is why HIPAA specifically lists biometric data as an identifier that must be protected through both the Safe Harbor method (removal of all 18 identifiers) and Expert Determination (statistical analysis ensuring minimal re-identification risk) when de-identifying health information.

Here are the most common types of biometric identifiers considered PHI under HIPAA:

• Fingerprints: Used for both physical and digital authentication, fingerprints are unique to each person and can be collected during medical procedures or identity verification.
• Voiceprints: Increasingly used in telehealth and call center authentication, voiceprints analyze unique vocal characteristics to verify identity.
• Retinal and iris scans: These advanced methods capture the unique patterns in a person’s eye, sometimes used in hospital security or patient tracking.
• Facial recognition data: While closely related to full-face photos, specialized facial measurements used for identification fall under biometrics.

With the rise of digital health records and integrated device IDs, there’s more opportunity—and risk—for this data to be collected, stored, and potentially exposed. A breach of biometric PHI doesn’t just threaten privacy; it can lead to long-term consequences such as identity theft, fraud, or even illegal use of someone’s likeness.

Best practices for safeguarding biometric identifiers include:

• Using encryption at rest and in transit for all stored biometric data.
• Restricting access to only those healthcare personnel who absolutely need it.
• Implementing strong authentication protocols for systems storing biometrics.
• Regularly auditing device IDs and access logs for unauthorized use or unusual activity.

As we increasingly use technology in healthcare, we must remain vigilant. Protecting biometric identifiers isn’t just about regulatory compliance—it’s about respecting and safeguarding the very essence of our individual identity. If you’re handling health data, always ensure your de-identification practices address not just names, dates, or email addresses, but also the biometric markers that make each patient unique.

Full-face photographs and comparable images

Full-face photographs and comparable images are among the most sensitive PHI identifiers defined under HIPAA. These are not just ordinary pictures; they include any image where a person’s face is clearly recognizable, making them directly identifiable. Think of it as the visual equivalent of sharing your name, SSN, or MRN—these images can instantly connect medical details to a specific individual, which is why they require the highest level of protection.

When we talk about comparable images, it’s not limited to studio portraits or driver's license photos. Any clinical photograph, selfie, or video frame taken as part of healthcare—whether for diagnosis, treatment, or documentation—falls under this category if it can be used to identify someone. For instance, photos taken to track wound healing, document rashes, or support telemedicine visits are all protected if the person’s face or identifying features are visible.

HIPAA's Safe Harbor method for de-identification is very clear on this: to remove full-face photographs and similar images to ensure PHI cannot be traced back to the patient. If such images are necessary for care, they must be handled with strong security controls—access limited to those with a legitimate need, and transmission only via secure, encrypted channels. If images are to be used for research, education, or publication, facial features must be obscured or cropped, unless explicit patient authorization has been obtained.

Alternatively, under the Expert Determination method, a professional with statistical and scientific knowledge can certify that the risk of identifying the subject from the image, alone or in combination with other data like names, device IDs, or geographic subdivisions, is very small. This is a rigorous process and is rarely used for full-face images because of how easily faces can be recognized—even advanced biometric tools can match faces with astonishing accuracy.

We all know how quickly a photo can spread online. With today’s technology, even a single image can be matched to social media profiles, device IDs, or even traced back with IP address data. That’s why healthcare organizations have strict protocols around full-face photos, ensuring these PHI identifiers are only used when absolutely necessary, and always protected as securely as possible.

Practical advice:

• Only collect and store full-face images when medically essential.
• Always use encryption for storage and transmission.
• If sharing images for non-care reasons, crop or blur identifying features, or obtain explicit patient consent.
• Regularly audit access to these images, just as you would with sensitive data like phone numbers, email addresses, or biometric identifiers.

By treating full-face photographs and comparable images with the utmost care, we help preserve our patients’ privacy, maintain trust, and stay firmly within HIPAA’s requirements—even as technology and threats continue to evolve.

Any other unique identifying number/characteristic/code

Any other unique identifying number, characteristic, or code may sound like a catch-all, but it’s a crucial element in the HIPAA landscape. This final PHI identifier is designed to address the reality that not all personal identifiers fit neatly into the first 17 categories. Healthcare is complex, and technology is always evolving—so HIPAA created this broad category to ensure no personally identifiable data slips through the cracks.

Let’s break down what this means in practice. If a number, characteristic, or code is assigned to a patient for identification purposes—outside of the specific examples like names, MRNs, device IDs, or IP addresses—it could fall under this umbrella. Think about unique barcodes, custom patient codes used in research, or even encrypted tokens that tie back to an individual record. If there’s any way for someone to use this data point to trace information back to a specific person, it’s considered PHI.

• Research Study Codes: Clinical research often uses coded identifiers to protect subjects. If a key exists that links the code to the individual, the code itself is PHI.
• Custom Account Numbers: Sometimes healthcare organizations create their own numbering systems for patients, separate from a standard MRN. These are PHI if they can be connected to an individual.
• Barcodes and QR Codes: Used on patient wristbands or documents, these codes often encode sensitive data and become PHI when they enable identification.
• System-Generated Identifiers: Any internally generated identifier—like a database key or a unique login credential—that links back to a person’s health record fits here.

How does HIPAA protect these “other” identifiers? Under the Safe Harbor method, all unique codes or characteristics that could identify a patient must be removed for data to be truly de-identified. If a code is required for operational reasons, it must not be derived from or related to information about the individual (for example, a scrambled version of their SSN or MRN is not allowed). The Expert Determination method also requires a formal risk assessment to confirm that the likelihood of re-identification is very low.

In short, if you’re handling anything that can be used to single out an individual—even if it’s not one of the more familiar PHI identifiers like email, phone, biometric data, or full-face photos—it’s your responsibility to treat it with the same high level of protection. This flexible, forward-thinking category ensures HIPAA can keep pace with emerging technologies and creative identification methods in healthcare.

When in doubt, err on the side of caution: If a number, code, or feature could be used to trace back to a patient, safeguard it as PHI. This holistic approach is what keeps patient privacy intact, no matter how the world changes.

Why does this list matter so much? Each PHI identifier—whether it’s a name, geographic subdivision, date of birth, phone number, email, Social Security Number (SSN), Medical Record Number (MRN), biometric detail, full-face photo, device ID, or IP address—represents a potential link back to an individual’s private health story. When these identifiers are properly protected, we help prevent identity theft, fraud, and the emotional stress that comes from privacy breaches.

HIPAA offers two main pathways to ensure information is no longer considered PHI: Safe Harbor and Expert Determination. Safe Harbor means removing all 18 PHI identifiers, while Expert Determination relies on a qualified professional’s judgment that the risk of re-identification is very small. Both approaches aim to keep sensitive information anonymous and secure, giving us all peace of mind whenever health data is handled.

Staying aware of what counts as PHI and how it must be managed isn’t just a regulatory box to check—it’s about respecting the trust that patients place in the healthcare system. By recognizing and following these safeguards, we help build a safer, more respectful environment for everyone. Knowing your responsibilities around PHI identifiers today is the first step to making better choices for privacy and compliance tomorrow.

FAQs

Is ZIP code always PHI?

ZIP codes are not always considered PHI (Protected Health Information) by default, but context is key. Under HIPAA’s Safe Harbor method, ZIP codes count as PHI identifiers when they are part of a geographic subdivision smaller than a state—such as a street address, city, county, or precinct—if they can be used to identify an individual. However, there’s an important exception: the first three digits of a ZIP code can be shared if the combined population of all ZIP codes with those three digits exceeds 20,000 people. If not, those ZIP codes must be changed to 000 to protect anonymity.

In short, whether a ZIP code is PHI depends on the risk of identifying someone. If a ZIP code, alone or combined with other data like names, dates, phone numbers, or email addresses, could single out a person, it is treated as PHI and must be protected under HIPAA. But if it’s sufficiently broad or anonymized—meeting Safe Harbor rules or cleared by Expert Determination—it may not be PHI.

Always remember, context and combination matter. ZIP codes may seem harmless, but when paired with other PHI identifiers like SSN, MRN, biometric data, full-face photos, device IDs, or IP address, they increase the risk of re-identifying an individual. That’s why organizations must assess each situation carefully and lean on HIPAA’s Safe Harbor or Expert Determination guidelines.

Are partial dates allowed?

Are partial dates allowed under HIPAA’s PHI de-identification rules? The answer depends on the method you use to de-identify information—Safe Harbor or Expert Determination.

With Safe Harbor, all elements of dates directly related to an individual—except the year—must be removed from health data to qualify as de-identified. This includes birthdates, admission or discharge dates, and all elements of dates (e.g., month, day, and any age over 89). In other words, partial dates like “March 2022” or “03/XX/2022” are not allowed under Safe Harbor, as they can still be used to identify someone.

However, the Expert Determination method allows for more flexibility. If a qualified expert determines that the risk of re-identification is “very small,” some partial date information may be permitted—provided it cannot reasonably identify an individual. This might be relevant in clinical research where certain date-related data is essential, but always requires a documented risk assessment by the expert.

To sum up, partial dates are not permitted under Safe Harbor, but could be allowed under Expert Determination with appropriate safeguards. When in doubt, it’s safest to exclude all date elements except the year if you’re de-identifying PHI for broad use.

When is de-identification sufficient under HIPAA?

De-identification is considered sufficient under HIPAA when health information has been stripped of all elements that could identify an individual or when the risk of re-identification is extremely small. HIPAA provides two clear methods to achieve this: the Safe Harbor method and the Expert Determination method.

Under the Safe Harbor method, all 18 types of PHI identifiers—such as names, geographic subdivisions smaller than a state, dates (except year), phone numbers, email addresses, Social Security Numbers (SSN), Medical Record Numbers (MRN), biometric data, full-face photos, device IDs, and IP addresses—must be completely removed. No reasonable basis should remain for believing the information could still identify the individual.

Alternatively, the Expert Determination method allows a qualified statistical or scientific expert to analyze the data and certify, with documented evidence, that the risk of re-identifying an individual is “very small”—even if some indirect identifiers remain. This offers flexibility for data that can't be fully stripped of all identifiers but can still be managed with minimal risk.

If either method is properly followed, the resulting data is no longer considered PHI under HIPAA, and the strict privacy requirements no longer apply. However, it's essential to remember that de-identification must be thorough and defensible—cutting corners can put both patient privacy and organizational compliance at risk.