What are the 18 PHI identifiers?

March 15, 2024 Christine Garcia HIPAA Advice

The 18 PHI identifiers under HIPAA are: names, geographic data smaller than a state, dates (except year), phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photos, and any unique identifying codes. PHI refers to any information in a medical context that can identify an individual and is protected under HIPAA. HIPAA defines 18 specific identifiers as part of its standards for de-identification of health information. These identifiers must be removed or altered to render data de-identified and therefore exempt from HIPAA regulations. However, it is important to note that these 18 identifiers are not an exhaustive list; many other types of information can also be considered PHI depending on the context.

The 18 PHI Identifiers

  1. Names: Any part of a person’s name, including first, middle, and last names, initials, or nicknames.
  2. Geographic Subdivisions: Any geographic data smaller than a state, such as a city, county, street address, or ZIP code (with some exceptions for ZIP codes covering large populations).
  3. Dates: All elements of dates related to an individual, including birthdate, admission date, discharge date, and death date, except the year. For individuals over 89 years old, their age is also considered identifiable unless aggregated.
  4. Phone Numbers: Any phone number, including home, mobile, or work numbers.
  5. Fax Numbers: Numbers associated with facsimile transmissions.
  6. Email Addresses: Any email addresses that identify an individual.
  7. Social Security Numbers (SSNs): Complete or partial Social Security numbers.
  8. Medical Record Numbers: Numbers assigned to a patient’s medical records by a healthcare provider or institution.
  9. Health Plan Beneficiary Numbers: Identifiers assigned by health insurance plans to their members.
  10. Account Numbers: Bank account numbers or any financial account tied to an individual.
  11. Certificate or License Numbers: Professional license numbers or other certification numbers.
  12. Vehicle Identifiers: Any identifiers related to vehicles, such as license plate numbers, VINs, or registration details.
  13. Device Identifiers: Serial numbers or other unique identifiers for medical devices associated with a patient.
  14. Web URLs: Website addresses that could identify a person or their medical information.
  15. IP Addresses: Internet Protocol addresses used by a person’s device.
  16. Biometric Identifiers: Data such as fingerprints, voiceprints, retinal scans, or facial geometry.
  17. Full-Face Photographic Images: Full-face photos or comparable images that reveal identity.
  18. Unique Identifying Codes: Any unique code or characteristic assigned to an individual.

While the above are the explicitly named identifiers under HIPAA, it is critical to understand that PHI encompasses any data that could reasonably identify an individual in a healthcare context. For example, health-related data combined with gender, occupation, or even a rare diagnosis might qualify as PHI, even if it doesn’t fall into the 18 standard categories.

 

About Christine Garcia 1209 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA
Twitter