What Are the 18 HIPAA Identifiers? A Clear Guide with Examples

The HIPAA Privacy Rule defines Protected Health Information (PHI) as health data that can identify an individual. Under the Safe Harbor method of data de-identification, you must remove 18 specific unique identifiers. This guide groups those identifiers, explains why each one matters for patient privacy, and shows practical examples and PHI safeguards you can apply to strengthen health information security without adding unnecessary complexity.

Use this as a quick, operational reference when you design forms, analytics pipelines, release datasets, or respond to records requests. When in doubt, err on the side of removing or generalizing identifiers so the information no longer points back to a person.

Names and Personal Identifiers

Names

Any name that can point to an individual makes health information identifiable. This includes first and last names, middle names, initials when they reasonably identify a person, and former or alias names.

• Examples: “Jane A. Doe,” “J. Doe,” “Dr. Jane Doe.”
• PHI safeguards: replace names with random study IDs; use roles (“the patient”) rather than names in narratives.

Any other unique identifying number, characteristic, or code

This is a catch‑all for identifiers not explicitly listed elsewhere. It covers unique codes or characteristics that could single out a person, including re-identification codes derived from PHI.

• Examples: a code built from initials and birth date (“JD-0415”), a distinctive tattoo description tied to a patient record.
• PHI safeguards: use a randomly generated key not derived from PHI and store the re-identification list separately under strict access controls.

Geographic Subdivisions and Date Elements

Geographic subdivisions smaller than a state

Location details below the state level are identifiers. This includes street address, city, county, precinct, and all geocodes such as census tract and ZIP code. For ZIP codes, only the initial three digits may be kept when the combined area has more than 20,000 people; otherwise, use “000.”

• Examples: “123 Main St, Springfield,” “Precinct 4,” “ZIP 02138.”
• PHI safeguards: use only the state or a broad region; convert precise addresses to generalized areas or distance bands.

All elements of dates (except year) and ages over 89

All date elements directly related to an individual are identifiers when you include month, day, or more granular values. This covers birth, admission, discharge, and death dates. Ages over 89, and all related date elements (including year) for such individuals, must be grouped into a single category of “age 90 or older.”

• Examples: “DOB 04/15/1972,” “admitted 09/23/2025,” “died 03/01/2024,” “age 92.”
• PHI safeguards: keep only the year (unless the person is 90+), or use age ranges (e.g., “40–44”).

Contact Information

Telephone numbers

Phone numbers directly link to an individual or household and are PHI when associated with health data.

• Examples: “(555) 123‑4567,” mobile numbers, direct extensions.
• PHI safeguards: remove the number; if needed for operations, store separately from clinical content with access controls.

Fax numbers

Fax numbers function as direct contact points and therefore identify individuals or organizations connected to a patient.

• Examples: “(555) 987‑6543.”
• PHI safeguards: redact or replace with a departmental routing ID that does not identify a person.

Email addresses

Personal and work emails can uniquely identify a person. Even role-based emails may identify a small group tied to a specific patient context.

• Examples: “jane.doe@example.com,” “jdoe@clinic.org.”
• PHI safeguards: remove or substitute with a messaging token; avoid embedding emails in narrative notes.

Web URLs

Direct web addresses can encode a person’s name or record key, especially in patient portals or shared documents.

• Examples: “examplehospital.org/patients/jdoe,” a publicly accessible link to an imaging file.
• PHI safeguards: scrub URLs; use non-identifying short links for internal workflows only.

IP addresses

IP addresses can identify a device or household and, when paired with health data, constitute PHI.

• Examples: “203.0.113.42,” IPv6 addresses.
• PHI safeguards: store only hashed or truncated network data for security analytics; exclude IPs from shared datasets.

Government Issued Identifiers

Social Security numbers

SSNs are among the most sensitive unique identifiers and can readily link health data to a person.

• Examples: “123‑45‑6789.”
• PHI safeguards: never store SSNs when a separate patient ID suffices; if retention is unavoidable, encrypt at rest and in transit.

Certificate/license numbers

Numbers on government-issued documents identify individuals even outside healthcare contexts.

• Examples: driver’s license, state ID, passport, professional license numbers.
• PHI safeguards: remove or mask; if verification is required, retain only a pass/fail flag rather than the number itself.

Medical Identifiers

Medical record numbers

MRNs directly tie clinical information to a single individual within a provider’s system.

• Examples: “MRN 001234567.”
• PHI safeguards: substitute with a random research ID; keep the MRN-to-research key in a separate secure enclave.

Health plan beneficiary numbers

Member IDs identify individuals within a health plan (commercial or public) and allow linkage across claims and encounters.

• Examples: Medicare/Medicaid IDs, private insurer member IDs.
• PHI safeguards: remove the number and retain only plan type or coverage status where needed for analysis.

Account numbers

Any financial or patient account number can single out an individual when paired with health information.

• Examples: patient billing account numbers, laboratory client account IDs.
• PHI safeguards: replace with non-identifying transaction tokens; store financial details in a separate, access-controlled system.

Device and Vehicle Identifiers

Vehicle identifiers and serial numbers, including license plates

Vehicle data can identify a patient or family, especially in incident reports and home care notes.

• Examples: VINs, license plates, vehicle serial numbers.
• PHI safeguards: remove or generalize (e.g., “sedan”); avoid photos containing plates.

Device identifiers and serial numbers

Device IDs can point to a specific person when devices are assigned or wearable/implantable.

• Examples: pacemaker serial numbers, insulin pump IDs, durable medical equipment tags.
• PHI safeguards: retain only device type and model where necessary; strip serials and any unique tokens.

Biometric and Visual Data

Biometric identifiers

Biometric data uniquely identifies individuals by physiological or behavioral traits and are explicitly listed as identifiers.

• Examples: fingerprints, voiceprints, retina/iris scans, palm or face geometry templates.
• PHI safeguards: avoid storing raw biometric samples; if required, keep encrypted templates with strict role-based access.

Full-face photographs and comparable images

Full-face photos and images with similar identifying detail make health information immediately linkable to a person.

• Examples: clinic headshots, bedside photos, driver’s‑style images; video frames showing a full face.
• PHI safeguards: crop or blur identifying regions; use illustrative diagrams rather than photos when possible.

In practice, de-identification means systematically removing these unique identifiers while preserving analytical value. Combine generalization (e.g., state instead of city), suppression (omit rare values), and controlled re-identification keys stored separately. Applied consistently, these PHI safeguards support patient privacy and strong health information security without undermining data utility.

FAQs

What qualifies as a HIPAA identifier?

A HIPAA identifier is any of the 18 unique identifiers that can directly or indirectly point to a person—such as names, detailed geography, dates beyond the year, contact details, government and medical numbers, device and vehicle IDs, biometric data, full-face images, and any other unique code or characteristic. When any of these appear with health information, the data is PHI.

How does HIPAA protect identifiable health information?

The HIPAA Privacy Rule restricts how covered entities and business associates use and disclose PHI, requires minimum necessary access, and mandates administrative, physical, and technical PHI safeguards. To share data broadly, you must either obtain authorization or perform data de-identification (e.g., Safe Harbor removal of all 18 identifiers or expert determination) so the information no longer identifies an individual.

Are ages over 89 treated differently in HIPAA?

Yes. For individuals aged 90 or older, HIPAA treats exact age and related date elements as identifiers. You must aggregate to a single category such as “age 90 or older,” and you cannot include specific birth year or other granular dates tied to those individuals under Safe Harbor.

How are biometric identifiers protected under HIPAA?

Biometric identifiers (e.g., fingerprints, voiceprints, retina/iris scans) are explicitly listed among the 18 identifiers. If you must collect them, apply strict access controls, encryption, and retention limits, and avoid storing raw samples. For data sharing, remove biometric fields entirely or transform them into non-identifying signals that cannot be reversed to the original biometric.