What Are the 18 HIPAA Identifiers? Complete PHI List Explained
The HIPAA Privacy Rule defines 18 specific identifiers that make health data “individually identifiable.” When any of these appear with clinical details, the result is Protected Health Information (PHI). Understanding the list is central to PHI Compliance Requirements and Health Information Confidentiality.
HIPAA’s Data De-identification Standards allow you to remove these identifiers (Safe Harbor) so the remaining data is no longer Identifiable Health Information. Below, each identifier is grouped for clarity, with concise guidance on how it affects handling and disclosure.
Names and Geographic Subdivisions
Names are the most direct link to identity and must be removed in de-identified datasets. Geographic details smaller than a state can also pinpoint a person, especially when combined with health events or rare conditions.
- 1. Names: Includes full or partial names of the individual, relatives, employers, and household members in any format.
- 2. Geographic subdivisions smaller than a state: Street address, city, county, precinct, ZIP code, and equivalent geocodes. Only the initial three digits of a ZIP code may be retained when the combined area exceeds 20,000 people; otherwise, replace them with 000.
Date Elements and Age Restrictions
Dates often reveal identity when matched to public records. HIPAA therefore requires coarse timing for de-identified data and special handling for the oldest age group to reduce singling out.
- 3. All elements of dates (except year) related to an individual, and ages over 89: Remove day and month for dates like birth, admission, discharge, and death. For individuals aged 90 and older, aggregate into a single category of “age 90 or older,” including all associated date elements.
Contact Information Identifiers
Direct contact channels uniquely trace back to a person and link communications to medical records. Exclude them from any shared or published dataset intended to be de-identified.
Government and Account Numbers
Government-issued identifiers and financial or institutional account numbers are high-risk and strictly controlled. Retaining any of these immediately renders a dataset identifiable under the HIPAA Privacy Rule.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
- 7. Social Security numbers
- 8. Medical record numbers
- 9. Health plan beneficiary numbers
- 10. Account numbers: For example, bank or billing accounts tied to services.
- 11. Certificate or license numbers: Driver’s licenses, professional licenses, and other official certifications.
Device and Vehicle Identifiers
Serials for vehicles and medical or consumer devices can be traced to owners or patients. Remove them from case reports, images, and logs to uphold Health Information Confidentiality.
- 12. Vehicle identifiers and serial numbers, including license plate numbers
- 13. Device identifiers and serial numbers
Biometric and Photographic Identifiers
Biometric Data Protection is critical because these identifiers are inherently unique and hard to change. Full-face images and comparable visuals also directly reveal identity.
- 16. Biometric identifiers: Includes fingerprints and voiceprints; may also encompass other measurable biological patterns used for recognition.
- 17. Full-face photographic images and any comparable images
Unique Identifying Numbers and Codes
Digital traces and catch-all unique codes can re-link records to specific people. Excluding these is essential to meet de-identification goals and sustain PHI Compliance Requirements.
- 14. Web Universal Resource Locators (URLs)
- 15. Internet Protocol (IP) address numbers
- 18. Any other unique identifying number, characteristic, or code: Except a code maintained internally by the covered entity solely for re-identification, and not derived from personal characteristics.
Conclusion
To de-identify data under HIPAA’s Safe Harbor, remove all 18 identifiers or apply an expert determination method. Using this complete list as a checklist helps you minimize re-identification risk while preserving analytic value, aligning daily practices with the HIPAA Privacy Rule and protecting patients’ trust.
FAQs
What qualifies as a HIPAA identifier?
Any of the 18 categories that can directly or indirectly identify a person—such as names, specific addresses, full dates (except year), contact details, government and account numbers, device/vehicle serials, biometrics, photos, URLs, IPs, and other unique codes—qualifies as a HIPAA identifier when linked to health information.
How do the 18 identifiers protect patient privacy?
By requiring removal or strict control of these elements, HIPAA reduces the chance that an individual can be singled out in a dataset. This framework operationalizes Data De-identification Standards so organizations can use data while preserving Health Information Confidentiality.
Can geographic info be included in PHI?
Yes. All geographic subdivisions smaller than a state—street address, city, county, precinct, ZIP code, and geocodes—are identifiers. In de-identified data, you may keep only the first three ZIP digits when the combined population exceeds 20,000; otherwise, substitute 000.
Are biometric identifiers always considered PHI?
Biometrics are one of the 18 identifiers. When biometric data is created or held by a covered entity or business associate and relates to health services or billing, it makes the data PHI. Outside a health context, biometrics may be identifying but not PHI; within HIPAA-regulated settings, they require strong protection.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
