What Are Examples of Protected Health Information (PHI)? 18 Identifiers Under HIPAA Explained

Protected Health Information (PHI) is any individually identifiable health information that relates to a person’s health status, care, or payment for care and can identify that person. To safeguard health information privacy, HIPAA compliance standards define 18 specific identifiers that make data “identifiable.” Remove these identifiers (or use expert determination) and you achieve PHI de-identification, a key step in patient data protection and broader healthcare data security.

Below, you’ll find the HIPAA 18 identifiers organized into practical categories, with plain‑English explanations and examples you can act on today.

Names and Personal Identifiers

Names directly identify a person and are always PHI when connected to health details. This includes any part of a person’s name that could reasonably identify them in context.

What this includes

• Full names, first or last names, middle names, suffixes (Jr., Sr.), and initials when they could identify someone.
• Signatures or name fragments that can be linked back to the individual.

De-identification tips

• Remove names entirely or replace with randomly generated codes that are not derived from personal health identifiers.
• Store any re-identification keys separately with strict access controls to support HIPAA compliance standards.

Other Unique Identifiers

HIPAA also treats “any other unique identifying number, characteristic, or code” as an identifier. This can include study IDs or tracking codes if they are derived from or related to an individual’s information.

• Research subject codes linked to a roster that can reveal identity.
• Custom patient tags created from names, dates, or record numbers.

Geographic and Location Data

Geographic details smaller than a state can pinpoint identity, especially in combination with health data.

What this includes

• Street address, apartment numbers, and directions (e.g., “rear unit”).
• City, county, precinct, and ZIP code (with limited exceptions for first three digits in large-population areas).
• GPS coordinates, latitude/longitude from mobile devices, and precise facility locations tied to an individual.

De-identification tips

• Generalize to the state level or broader regions where feasible.
• When sharing utilization trends, aggregate by large areas to minimize re-identification risk.

Dates and Age Information

Dates can easily reveal identity when exact. HIPAA treats most date elements as identifiers except the year.

What this includes

• All elements of dates (except year) for events linked to an individual: birth date, admission, discharge, procedure, and death dates.
• Exact date/time stamps in logs, imaging, lab results, or messages.
• Ages over 89 and any related details that indicate such age (e.g., “92-year-old”).

De-identification tips

• Use the year only, or provide broader ranges (e.g., “Q2 2025”).
• Aggregate individuals aged 90 and older into a single “90+” category.

Contact Information and Communication Details

Direct and digital contact routes are PHI when linked to health details because they can identify or reach a specific person.

What this includes

• Telephone numbers and fax numbers.
• Email addresses, patient portal addresses, and secure messaging handles.
• Web URLs that point to personal profiles or shared documents.
• IP addresses collected by apps, portals, or telehealth platforms.

De-identification tips

• Remove or replace contact points with non-derivative tokens.
• Limit logs to non-identifying technical metrics where possible.

Government and Medical Record Numbers

Numerical identifiers are among the most sensitive personal health identifiers because they uniquely tie records to a person.

What this includes

• Social Security numbers.
• Medical record numbers (MRNs) and encounter numbers.
• Health plan beneficiary numbers and member IDs.
• Account numbers used for billing or patient accounts.
• Certificate and license numbers (e.g., professional or driver’s licenses).

De-identification tips

• Remove or tokenize these values; keep mapping tables secured and segregated.
• Apply role-based access and audit trails to strengthen healthcare data security.

Device and Vehicle Identifiers

Unique hardware and vehicle details can single out a person or their records, especially in telehealth and remote monitoring contexts.

What this includes

• Vehicle identifiers and serial numbers, including license plate numbers and VINs.
• Device identifiers and serial numbers (e.g., implant serials, infusion pump IDs, smartphone IMEI, wearable IDs).

De-identification tips

• Remove serials or substitute device categories (e.g., “cardiac implant”) when granular detail is unnecessary.
• Aggregate telemetry to population-level metrics before sharing.

Biometric and Visual Identifiers

Biometrics are inherently identifying and must be protected whenever they relate to health services or payment.

What this includes

• Biometric identifiers, including fingerprints and voiceprints; other modalities like iris, retinal, face geometry, or palm scans used for identification.
• Full-face photographic images and any comparable images (e.g., high-resolution video frames showing the face).

De-identification tips

• Mask, crop, or blur facial regions and remove biometric templates.
• Use image annotations that exclude identity (e.g., bounding boxes without faces).

Conclusion

Under the HIPAA 18 identifiers, data becomes PHI when health details are linked to information that can identify a person. To uphold health information privacy, apply PHI de-identification (Safe Harbor or expert determination), minimize collection, and enforce strong access controls. Consistent, practical steps like aggregation, tokenization, and least-necessary disclosure are the backbone of patient data protection and lasting HIPAA compliance standards.

FAQs.

What qualifies as protected health information under HIPAA?

PHI is individually identifiable health information related to health status, care, or payment that can identify a person. If the data includes any of the HIPAA 18 identifiers—or could reasonably identify someone—alongside health details, it’s PHI. De-identified data is not PHI.

Which government-issued numbers are considered PHI?

Social Security numbers, driver’s licenses, professional license numbers, and health plan beneficiary numbers are PHI when linked to health information. Medical record numbers and patient account numbers also qualify and require strict safeguards.

Can biometric data be classified as PHI?

Yes. Biometric identifiers—such as fingerprints and voiceprints, and other modalities used for identification—are PHI when connected to health services or payment. Full-face photos and comparable images are also PHI.

How can healthcare providers protect PHI effectively?

Apply minimum-necessary access, encrypt data in transit and at rest, use strong authentication, maintain audit logs, and train staff. When sharing data, use PHI de-identification methods and robust governance to reinforce healthcare data security and compliance.