The 18 PHI (Protected Health Information) Identifiers

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

18 HIPAA PHI Identifiers

HIPAA regulations are in place to ensure that you protect and secure the patient data that as a healthcare business, you have access to and collect. The Department of Health and Human Services (HHS) has identified 18 patient identifier categories as it pertains to their guidance on satisfying the safe harbor method for de-identification per §164.514(b):

  1. Name of the patient or individual
  2. Address – this includes any geographical subdivisions smaller than the state of residence, including street address, city, county, zip code, precinct, and equivalent geocodes. There are additional criteria for identifying zip codes which can be found here
  3. Any Date – any date that is directly related to an individual. This includes dates that identify their admission or discharge date, birthdate, death date, and age indicative dates (over 89 unless aggregated into a single subset of age 90 and over)
  4. Telephone Number – this would include home and mobile numbers
  5. Fax Number – while not as common today, it is still included in the list of identifiers
  6. Email Address
  7. Social Security Number
  8. Medical Record Number – these are associated with your charts and medical data
  9. Health Plan Beneficiary Number – the number assigned to you within the health insurance system
  10. Account Number – can apply to multiple records
  11. Certificate or License Number – such as your driver’s license, CPR certification number, passport, etc.
  12. Vehicle Identifier – any VIN or serial number, as well as license plate numbers
  13. Device Identifier or Serial Number – medical devices used in your treatments or during procedures
  14. Web Universal Resource Locators URL – websites used or accessed can provide an online history
  15. Internet Protocol (IP) Address – this can be used to track your location
  16. Biometric Identifiers – facial recognition, fingerprint scans, etc.
  17. Full Face Photo – combined with other PHI, this can allow for a fraudulent identity to be created
  18. Any other unique identifying numbers, characteristics, or codes

Why It Matters

Knowing what is considered a PHI identifier will help you ensure you’re protecting the appropriate data. This is critical to HIPAA compliance and because this information is valuable to the cyber-criminal community. While the individual pieces of data may not seem like they can cause an issue if stolen, combined with other records found online and on the dark web about an individual, they can wreak havoc in an individual’s life if stolen. Protecting your business and your patient’s information are not always the same thing, and strong cybersecurity practices put in place alongside your HIPAA compliance posture will increase your defense against cybercrime.

This article was originally published on HIPAA Secure Now! and is republished here with permission.