What Are PHI Identifiers? The 18 Under HIPAA (With Examples)

Overview of PHI

Protected Health Information (PHI) is any health or demographic detail that can identify an individual and relates to their past, present, or future physical or mental health, care, or payment for care. Under the HIPAA Privacy Rule, PHI spans paper, verbal, and electronic records you create, receive, maintain, or transmit.

These identifiers matter because combining seemingly harmless data points can re-identify a person. Treat Identifiable Health Data with the same diligence you apply to clinical results, and embed Health Data Security and Biometric Data Privacy controls across your systems and workflows.

List of 18 HIPAA Identifiers

1. Names.
2. Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code; except the initial three ZIP digits when the area has more than 20,000 people).
3. All elements of dates (except year) directly related to an individual (e.g., birth, admission, discharge, death), and all ages over 89 (aggregate as 90+).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate or license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers (e.g., fingerprints, voiceprints).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code.

Importance of PHI Identifiers

Correctly flagging PHI identifiers is essential to meet De-identification Standards, apply the minimum necessary rule, and reduce re-identification risk. It protects patient trust, enables ethical data use, and lowers legal exposure.

Failure to manage identifiers can trigger investigations, fines, corrective action plans, and PHI Breach Notification duties. Proactive controls around these 18 elements help you prevent incidents, streamline audits, and support compliant research and analytics.

Examples of PHI Identifiers

Clinical and administrative records

• A discharge summary listing a patient’s name, date of birth, and medical record number.
• An insurance claim showing a health plan beneficiary number and account number.
• A referral note containing a street address and telephone number.

Digital footprint

• Patient portal logs that store IP addresses and email usernames.
• An imaging system URL that embeds a medical record number.

Devices, images, and biometrics

• A cardiac monitor export that includes a device serial number.
• Staff capturing a full-face photograph for documentation.
• Voice samples used for call-center authentication (voiceprints).

Edge cases that still count

• A small-town ZIP code combined with an admission date for a rare condition.
• A clinician note referencing a unique tattoo description or distinctive characteristic.

HIPAA Privacy Rules

The HIPAA Privacy Rule governs how you may use and disclose PHI, with permitted purposes like treatment, payment, and healthcare operations, and with patient rights (access, amendments, and accounting of disclosures). Apply the minimum necessary standard to limit exposure of identifiers.

HIPAA’s Security Rule requires safeguards (administrative, physical, technical) for ePHI, and the Breach Notification Rule mandates timely PHI Breach Notification to affected individuals, regulators, and sometimes the media after certain incidents. Together, these rules shape how you collect, store, share, and de-identify PHI.

PHI De-identification Methods

Safe Harbor method

• Remove all 18 identifiers for the individual and their relatives, employers, and household members.
• For ZIP codes, keep only the first three digits when the corresponding area exceeds 20,000 people; otherwise, replace with 000.
• Generalize ages over 89 to a single 90+ category.
• Ensure no actual knowledge remains that the data could identify the person.

Expert Determination method

• A qualified expert applies statistical or scientific principles to show very small re-identification risk.
• Document methods, assumptions, and residual risk; update when data sources, algorithms, or context change.

Related option: Limited Data Set

• Excludes most direct identifiers but can retain certain fields (e.g., city, state, dates) for research, public health, or operations.
• Requires a Data Use Agreement and remains PHI, so HIPAA rules still apply.

Compliance Best Practices

Operational controls

• Inventory data flows and map where each of the 18 identifiers appears across systems and vendors.
• Apply role-based access, least privilege, and the minimum necessary rule to all workflows.
• Train your workforce on recognizing PHI and handling Identifiable Health Data, with scenario-based refreshers.

Technical controls

• Encrypt ePHI in transit and at rest; enable MFA, strong authentication, and session timeouts.
• Implement DLP, audit logging, and anomaly detection for emails, portals, APIs, and data lakes.
• Automate de-identification pipelines with Safe Harbor or Expert Determination, and validate outputs.

Vendor and incident readiness

• Execute BAAs, assess vendors’ Biometric Data Privacy and Security Rule safeguards, and review sub-processors.
• Maintain a tested incident response plan aligned to PHI Breach Notification timelines and content requirements.
• Set retention schedules and defensible deletion for identifiers you no longer need.

Conclusion

The 18 HIPAA identifiers define what turns health details into PHI. When you catalog them, minimize their use, and apply strong de-identification and security controls, you reduce risk, protect patients, and enable compliant analytics and innovation.

FAQs.

What qualifies as a PHI identifier under HIPAA?

Any data element that can identify an individual and relates to their health, care, or payment—such as names, full-face photos, or device serial numbers—counts as a PHI identifier. HIPAA enumerates 18 specific categories, and if any remain present, the dataset is not de-identified.

How are PHI identifiers protected?

You protect identifiers by applying the HIPAA Privacy Rule’s minimum necessary standard, enforcing access controls, encrypting ePHI, monitoring for leaks, training staff, and governing vendors via BAAs. Policies should specify how you collect, store, transmit, and de-identify PHI across its lifecycle.

What are the consequences of PHI breaches?

Consequences include containment and remediation costs, mandatory PHI Breach Notification, regulatory investigations, possible fines and corrective actions, litigation risk, and reputational harm. Robust prevention and practiced incident response substantially reduce impact.

How can entities de-identify PHI data effectively?

Use Safe Harbor by removing all 18 identifiers and applying required generalizations, or use Expert Determination with documented statistical analysis showing very small re-identification risk. Validate results, reassess as data context changes, and consider Limited Data Sets with DUAs when full de-identification is impractical.