What are the 18 PHI identifiers?

HIPAA's Privacy Rule defines protected health information as any individually identifiable health information, including demographic data, that relates to an individual's past, present, or future physical or mental health condition, provision of healthcare, or payment for healthcare.

The 18 PHI identifiers are the personally identifiable details relating to a patient set out by the HIPAA's Privacy rule. When used along with information such as the details of the patient's mental and physical health, any identifier could be considered protected health information (PHI). 

Related: What is protected health information (PHI)?

The 18 PHI identifiers

1. Patient names 
2. Geographical elements
3. Dates related to the health or identity of individuals 
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers
13. Device attributes or serial numbers
14. Digital identifiers, such as website URLs 
15. IP addresses
16. Biometric elements, including finger, retinal, and voiceprints
17. Photographs of a patient's face
18. Other identifying numbers or codes 

1. Patient names 

When used alongside information such as the patient's mental or physical health treatment or diagnosis, patient names must be secured during transmission and storage. 

2. Geographical elements

Geographical elements include street addresses, cities, counties, and zip codes. This data relates to the ability to contact as well as identify the patient and must be adequately secured. 

3. Dates related to the health or identity of individuals 

This information includes admission or discharge date, birthdate, death date, and age-indicative dates. 

4. Telephone numbers

Telephone numbers are considered PHI and require protective measures to prevent unauthorized access or interception. 

5. Fax numbers

Similar to a telephone number, fax numbers are considered PHI. 

6. Email addresses

Email addresses can be linked to individuals and associated with a patient's health information. Beyond ensuring HIPAA compliant email, protecting email addresses helps ensure that patient communications remain secure and confidential, reducing the risk of interception or unauthorized access to sensitive information.

7. Social Security numbers

A social security number is a numerical identifier assigned to U.S. citizens and other residents to track income and determine benefits. 

8. Medical record numbers

Medical record numbers are unique identifiers assigned to individuals' health records. Unauthorized access or disclosure of medical record notes can expose sensitive health details, compromising patient confidentiality.

9. Health insurance beneficiary numbers

Health insurance beneficiary numbers, similar to medical records, help identify the health insurance holders and therefore pose the risk of compromising patient privacy and could lead to identity theft or fraud. Furthermore, these numbers could be used to steal healthcare benefits. 

10. Account numbers

An account number, a unique digit set identifying your bank account, must be securely maintained to safeguard patients' financial information used for medical payments. This security is crucial to prevent potential financial fraud.

11. Certificate/license numbers

Certificate or license numbers serve as a form of authentication and verification in various contexts. They can be used to confirm an individual's professional qualifications, credentials, or legal permissions. When combined with other personal information, it can potentially be exploited by identity thieves, similar to social security or medical record numbers. Unauthorized access to these numbers could lead to identity theft.

12. Vehicle identifiers

When combined with other personal information, identity thieves can exploit vehicle identifiers.

13. Device attributes or serial numbers

Device attributes or serial numbers are identifiers tied to electronic devices like smartphones, tablets, or medical devices. These are often interacted with by healthcare providers during the delivery of healthcare services.

14. Digital identifiers, including some URLs

Some URLs to web pages or online resources are often used by healthcare providers for numerous purposes, such as patient education or appointment scheduling. Securing these URLs and other digital identifiers bolsters the security of online platforms, prevents unauthorized access, and upholds the confidentiality of patient data.

15. IP addresses

An IP address is a numerical label assigned to each device connected to a computer network. It serves as a unique identifier for routing data packets across the internet. IP addresses can provide information about the general location or network from which a device is accessing a website or online service.

16. Biometric elements, including finger, retinal, and voiceprints

Biometric information is unique to an individual and can be used to identify or authenticate their identity. As such, it falls within the scope of PHI and is subject to HIPAA's privacy and security requirements.

Related: Balancing Convenience and Privacy with biometric authentication

17. Photographs of a patient's face

These images, which capture an individual's facial features and identity, fall within the scope of PHI as they can uniquely identify a patient. Full face photographic images can provide precise and identifiable information about an individual's appearance, making them fall under the category of PHI.

18. Other identifying numbers or codes 

Under HIPAA, other identifying numbers or codes refer to any unique identifiers or codes that can be used to identify an individual. These identifiers may not fall into the specific categories mentioned earlier, but they are still considered PHI if they can be used to identify an individual.

The use of the 18 identifiers 

When sharing data in a manner that doesn't align with the Privacy Rule, it's essential to deidentify all of the identifiers mentioned earlier before disclosure. This additional step ensures an added layer of protection for patient information.

In addition to the safeguards and privacy requirements outlined in the Security and Privacy Rule, healthcare professionals are bound by the Minimum Necessary Rule. This rule ensures that only the minimum amount of information necessary is used, shared, and disclosed, protecting patient privacy and reducing the risk of unauthorized access.

By adhering to the Minimum Necessary Rule and deidentifying data as required, healthcare professionals can maintain a high level of confidentiality while fulfilling their duty to provide effective and efficient healthcare services.