What Identifying Information Is Protected by HIPAA? The 18 PHI Identifiers Explained

Overview of HIPAA and PHI

The HIPAA Privacy Rule protects Protected Health Information (PHI), which is individually identifiable health information created or received by a covered entity or business associate. PHI links details about a person’s health status, care, or payment for care to identifiers that could reveal who the person is.

Not all health-related data is PHI. Consumer app data held outside HIPAA’s scope or datasets stripped of identifiers can fall outside the rule. PHI de-identification can be achieved via the “Safe Harbor” method (removing the 18 identifiers described below) or the “Expert Determination” method. Both approaches support Health Data Security while enabling responsible data use.

Organizations subject to HIPAA Compliance Requirements—health plans, most providers, clearinghouses, and their business associates—must limit uses and disclosures to the minimum necessary and implement administrative, physical, and technical safeguards to protect Individually Identifiable Health Information.

The 18 HIPAA Identifiers

1. Names: Full or partial names, including maiden and alias names.
2. Geographic subdivisions smaller than a state: Street address, city, county, precinct, ZIP code, and geocodes.
3. All elements of dates (except year) directly related to an individual: Birth, admission, discharge, death, and exact ages over 89; times and date ranges are included.
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate and license numbers
12. Vehicle identifiers and serial numbers: Including license plates and VINs.
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers: Including finger and voice prints (and similar biometric markers used to identify a person).
17. Full-face photographs and comparable images
18. Any other unique identifying number, characteristic, or code: Except permitted re-identification codes kept separately.

Geographic and Date Information

Geographic details smaller than a state—such as street address, city, and full ZIP—are identifiers because they can quickly narrow who an individual is. Under Safe Harbor, only the initial three digits of a ZIP code may be retained when the aggregated area formed by those three digits contains more than 20,000 people; otherwise, replace the three digits with 000. Latitude/longitude, census tracts, and other granular geocodes are also identifying.

Dates tied to a person are identifying when they include day and month. The Privacy Rule allows retention of the year only. Times of day (for example, “3:42 p.m.”), exact durations, and small date windows can re-identify, especially for rare events. Ages 90 and older, and dates indicating such ages, are considered identifying; you must bucket them into a single “age 90 or older” category.

Practical tip for PHI de-identification: generalize location (for example, state instead of city) and convert dates to year or broader periods (for example, “Q2 2025”) when appropriate, validating that the transformation still prevents identity disclosure.

Contact and Account Identifiers

Direct contact details—telephone, fax, and email—are PHI identifiers whenever they can be associated with health information. Digital contact traces such as Web URLs and IP addresses can also reveal identity by linking to specific user sessions or profiles.

Administrative and financial numbers are high-risk: Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and certificate or license numbers can enable immediate identity matching. Treat variations and fragments (for example, last four digits) cautiously; context can make them identifying.

Good practice: tokenize or hash account numbers for internal workflows, store the mapping table separately with strict access controls, and never share the mapping externally. Apply the minimum necessary standard to any workforce communications that reference these identifiers.

Biometric and Image Identifiers

Biometric identifiers are features measured to uniquely recognize an individual. HIPAA explicitly cites finger and voice prints and, by extension, similar metrics such as iris/retina scans, facial geometry, and hand geometry when used for identification. Because these traits are inherently unique, they cannot be disclosed in de-identified data unless transformed so they no longer enable recognition.

Images that reveal identity—full-face photographs and comparable images—are identifiers. “Comparable” includes images that would reasonably allow recognition, such as distinctive profile shots or videos. Even images of non-facial body parts can identify a person if tattoos, scars, or background context make them unique. Strip photo metadata (for example, geotags) and evaluate frames for indirect identifiers before disclosure.

Compliance and Safeguarding PHI

Build safeguards around people, process, and technology. Train your workforce on the HIPAA Privacy Rule and minimum necessary use. Enforce role-based access, multi-factor authentication, and tight authorization for systems holding PHI. Establish audit logging, anomaly detection, and periodic access reviews.

Encrypt PHI in transit and at rest, segment networks, and apply data loss prevention to block exfiltration of identifiers. Use vetted de-identification workflows—Safe Harbor or Expert Determination—for data sharing and research. When full de-identification is not feasible, consider a Limited Data Set with a Data Use Agreement and strong controls.

Operationalize HIPAA Compliance Requirements with documented policies, vendor due diligence and Business Associate Agreements, regular risk analyses, secure disposal, and tested incident response. Maintain a data inventory that maps where Identifiable Health Information lives, who can access it, and how it is protected.

Exceptions and Permitted Disclosures

HIPAA permits use and disclosure of PHI without individual authorization for treatment, payment, and health care operations. Additional allowances include disclosures required by law; public health activities; reporting abuse, neglect, or domestic violence; health oversight; judicial and administrative proceedings; limited law enforcement purposes; organ and tissue donation; research with an authorization, waiver, or Limited Data Set and DUA; to avert a serious and imminent threat; specialized government functions; and workers’ compensation, all subject to detailed conditions.

Incidental disclosures are tolerated when reasonable safeguards and the minimum necessary standard are in place. Always confirm the legal basis, document the rationale, and disclose only what is necessary for the stated purpose.

Conclusion

Under the HIPAA Privacy Rule, PHI becomes protected when health information is linked to one or more of the 18 identifiers. By understanding those identifiers, applying PHI de-identification methods, and implementing strong Health Data Security controls, you can enable data use while preserving privacy and compliance.

FAQs

What types of information are classified as PHI under HIPAA?

PHI is Individually Identifiable Health Information held by a covered entity or business associate that relates to a person’s health, care, or payment for care and includes at least one of the 18 identifiers (for example, names, full ZIP codes, dates beyond the year, contact numbers, account numbers, images, or biometrics). De-identified data, employment records, and certain consumer data outside HIPAA’s scope are not PHI.

How does HIPAA define biometric identifiers?

HIPAA identifies biometric identifiers as measurements used to uniquely recognize a person, explicitly including finger and voice prints and, by extension, similar modalities such as iris/retina scans, facial geometry, and hand geometry when they serve to identify an individual.

Are geographic subdivisions always considered PHI?

Yes, geographic subdivisions smaller than a state (street address, city, county, precinct, full ZIP, and granular geocodes) are identifiers. The limited exception allows keeping only the first three ZIP digits when the aggregated area formed by those digits has more than 20,000 residents; otherwise, the three digits must be replaced with 000.

What are the exceptions to HIPAA's PHI protections?

Without individual authorization, PHI may be used or disclosed for treatment, payment, and health care operations; to comply with specific legal requirements; for public health and health oversight; for certain judicial, law enforcement, and specialized government purposes; for research under strict criteria; to avert serious threats; and for workers’ compensation, with all disclosures limited to the minimum necessary.