The 18 PHI Identifiers Explained: Best Practices for HIPAA Compliance

Overview of the 18 PHI Identifiers

Under the HIPAA Privacy Rule, protected health information (PHI) is any individually identifiable health information maintained or transmitted by a covered entity or business associate that relates to health status, care, or payment. If the data can identify a person on its own or when combined with other data in a designated record set, it is PHI.

HIPAA enumerates 18 direct identifiers. When these appear with clinical, billing, or claims details, the information must be treated and safeguarded as PHI.

1. Names.
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and geocodes).
3. All elements of dates (except year) directly related to an individual, and ages 90+ (e.g., birth, admission, discharge, death).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate or license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP addresses.
16. Biometric identifiers (e.g., fingerprints, voiceprints).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code.

Remember: the same clinical note may be PHI in one context but not another. If it cannot identify an individual and is not part of a designated record set (or has been properly de-identified), it is no longer PHI.

Strategies for PHI De-Identification

Expert determination

You can engage a qualified expert to assess your data, methods, and residual risk of re-identification. If the expert documents that the likelihood of identifying an individual is very small, the dataset is considered de-identified. This method supports analytics that retain utility while minimizing risk.

Safe harbor de-identification

Under safe harbor de-identification, you must remove all 18 identifiers and ensure you have no actual knowledge that remaining information could identify a person. This includes replacing detailed geography (you may use limited ZIP information under population thresholds) and generalizing dates to the year. Ages 90 and above are grouped as 90+.

Limited data set vs. de-identified data

A limited data set permits certain elements (e.g., dates, city, state, and limited ZIP details) for public health and research when governed by a data use agreement. It is still PHI and requires safeguards. Fully de-identified data—via expert determination or safe harbor de-identification—is not PHI and may be used or disclosed without HIPAA restrictions.

Practical controls to reduce re-identification risk

• Minimize: collect only what you need; avoid unnecessary identifiers at intake.
• Tokenize: replace identifiers with tokens; keep the key in a segregated, access-controlled vault.
• Aggregate and generalize: bucket dates to year or quarter; coarsen location when feasible.
• Audit releases: vet recipient controls, document approvals, and re-check for linkage risks.

Administrative Safeguards in HIPAA

Governance and compliance officer designation

Assign overall responsibility for HIPAA to a privacy official and a security official. This compliance officer designation centralizes decision-making, policy stewardship, and oversight of your HIPAA risk assessment program.

Risk management and policies

Conduct a formal HIPAA risk assessment, prioritize risks, and implement controls. Maintain written policies on privacy, security, sanctions, data retention, and incident response. Review and update these when your environment or regulations change.

Information access management

Use role-based access control so workforce members see only the minimum necessary information. Define roles, map permissions to job duties, and review access regularly, especially after transfers or terminations.

Workforce security, awareness, and incident handling

Screen hires, grant least-privilege access, and revoke promptly when roles change. Provide recurring security awareness training, test comprehension, and maintain an incident response plan with clear escalation paths and breach notification procedures.

Business associate management

Inventory vendors that create, receive, maintain, or transmit PHI, and execute a business associate agreement with each. Verify their safeguards, audit rights, breach duties, and subcontractor flow-downs.

Technical Safeguards and Encryption

Access controls and authentication

Enforce unique user IDs, multi-factor authentication, session timeouts, and emergency access procedures. Align permissions with role-based access control and log privileged actions.

Audit controls and integrity

Capture detailed audit logs for systems that store or process ePHI. Protect log integrity with hashing, time synchronization, and restricted admin access. Review alerts for anomalies and investigate promptly.

Transmission and storage protection

Apply strong encryption standards for data in transit (e.g., modern TLS) and at rest (e.g., AES with robust key management). Prefer FIPS-validated modules when feasible, rotate keys, and isolate secrets from application code.

Application and endpoint security

Harden servers and devices, patch quickly, and use mobile device management for laptops and phones that may access PHI. Implement secure software development practices and run routine vulnerability scans.

Physical Safeguards for PHI Protection

Facility and workstation security

Control building access with badges and visitor logs. Position screens away from public view, enable privacy filters where needed, and auto-lock workstations on inactivity.

Device and media controls

Track hardware assets, encrypt portable media, and sanitize or destroy drives before reuse or disposal. Use documented chain-of-custody procedures for devices that may contain PHI.

Paper records and signage

Store paper PHI in locked cabinets, restrict keys, and use secure shredding. Post clear signage to keep PHI off printers and communal areas, and empty output trays promptly.

Risk Assessments and Compliance Audits

How to run a HIPAA risk assessment

Inventory systems and workflows that handle ePHI, identify threats and vulnerabilities, estimate likelihood and impact, and rank risks. Map controls, set remediation owners and deadlines, and track residual risk over time.

Frequency and triggers

Perform a comprehensive assessment at least annually and whenever you introduce new technology, change vendors, expand services, or experience a security incident. Reassess after major control changes to validate effectiveness.

Audits and continuous improvement

Schedule internal compliance audits and readiness reviews for external inquiries. Test policy adherence, sampling access rights, logs, encryption configurations, and business associate agreement coverage. Report metrics to leadership and close gaps with time-bound action plans.

Training and Education on HIPAA Standards

Core curriculum and onboarding

Train every workforce member on privacy principles, the 18 PHI identifiers, minimum necessary use, and secure handling of PHI across email, messaging, and telework. Reinforce how designated record set contents affect PHI status.

Role-specific practice

Provide deeper modules for clinicians, billing, IT, and research teams. Include hands-on exercises covering role-based access control, incident reporting, and data minimization in common workflows.

Reinforcement and documentation

Deliver refresher training at least annually, conduct phishing simulations, and test policy knowledge. Maintain attendance records, attestations, and corrective actions for audit readiness.

By cataloging the 18 identifiers, applying de-identification methods, and implementing administrative, technical, and physical controls, you build a defensible, scalable HIPAA compliance program that protects patients and enables trustworthy data use.

FAQs.

What are the 18 PHI identifiers?

• Names
• Geographic details smaller than a state
• All elements of dates (except year) and ages 90+
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

How can PHI be de-identified under HIPAA?

You can use two methods: (1) engage a qualified expert to document that the risk of re-identification is very small (expert determination), or (2) remove all 18 identifiers and ensure no actual knowledge of identifiability remains (safe harbor de-identification). A limited data set may include some elements with a data use agreement, but it remains PHI and requires safeguards.

What administrative safeguards are required for HIPAA compliance?

Key safeguards include a HIPAA risk assessment and risk management plan, compliance officer designation, policies and sanctions, workforce security and training, role-based access control, incident response and contingency planning, periodic evaluations, vendor oversight with a business associate agreement, and thorough documentation.

How often should HIPAA risk assessments be conducted?

Conduct a comprehensive HIPAA risk assessment at least annually and whenever major changes occur—such as new systems, integrations, vendors, or after a security incident. Reassess targeted areas after remediation to confirm risk reduction.