
According to HHS guidance, providing the information that needs to be deidentified, “Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI… If such information were listed with health condition, health care provision, or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.”
HIPAA provides two ways of determining if information is individually identifiable health information. The first is the Expert Determination method, where an expert with knowledge of statistical and scientific principles evaluates the information to determine that the risk of identification is very low, documenting the analysis and outcomes to justify this determination.
The second is the Safe Harbour method where we can find the 18 PHI identifiers as we know it. These identifiers include data points like names, and email addresses, among others. By systematically removing or adequately protecting these identifiers, healthcare providers, insurers, and other covered entities make sure that health information used for research, operations, or other secondary purposes remains anonymous.
Related: What is protected health information (PHI)?
The 18 PHIidentifiers
The identifiers under Section 164.514 (b)(2):
- Names
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Web Universal Resource Locators (URLs)
- Social security numbers
- Internet Protocol (IP) addresses
- Medical record numbers
- Biometric identifiers, including finger and voice prints
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code
- Certificate/license numbers
What is the difference between PHI and ePHI?
An excerpt from Capturing Social and Behavioral Domains and Measures in Electronic Health Records: Phase 2, a book on the topic of privacy concerns about social and behavioral determinants notes, “The Privacy Rule establishes the rules governing the use and disclosure of identifiable health information in either paper or electronic format (otherwise known as protected health information or PHI) by covered entities; the Security Rule establishes the security safeguards to be adopted to protect electronic identifiable health information (otherwise known as ePHI).”
PHI refers broadly to any individually identifiable health information that relates to an individual's physical or mental health condition, provision of healthcare, or payment for healthcare services. The information can be in any form-oral, paper, or electronic-and includes identifiers such as names, addresses, social security numbers, and biometric data.
Electronic PHI (ePHI), on the other hand, is a subset of PHI that specifically exists in electronic form. The HIPAA Security Rule governs ePHI, setting standards for safeguarding electronic health information through administrative, physical, and technical safeguards.
While PHI includes all forms of protected health data, ePHI focuses on the electronic data that covered entities create, receive, maintain, or transmit. The distinction is important because ePHI is subject to specific cybersecurity and privacy requirements under HIPAA to prevent unauthorized access, breaches, or disclosures.
Data stored in electronic health records (EHRs), emails containing patient information, or health data transmitted over electronic networks are considered ePHI. In contrast, handwritten notes or verbal communications, while still PHI, are not classified as ePHI.
Does the HIPAA identifier rule influence how PHI is defined?
The HIPAA identifier rule influences the definition of PHI by specifying which identifiers, when combined with health information, render that information protected under HIPAA. The HIPAA Privacy Rule defines PHI as individually identifiable health information that includes any of 18 specific identifiers that can be used to identify the individual or their relatives, employers, or household members.
According to a journal article on the identifiers by Beckie Kelly published in the Health Data Management, “Though they may not be as 'sexy' as protecting patient privacy or securing electronic records, the identifier rules are an integral piece to the overall HIPAA puzzle. In the end, they can help health care organizations streamline processes, save time, and trim costs.”
These identifiers include names, geographic subdivisions smaller than a state, all elements of dates (except year) directly related to an individual, telephone numbers, email addresses, social security numbers, medical record numbers, biometric identifiers, and others. The presence of any of these identifiers linked to health information transforms the data into PHI, which then requires protection under HIPAA.
This identifier list ensures that health information is not considered PHI unless it can be linked to an individual through these identifiers. The rule mandates that to de-identify health information and remove it from PHI status, all these identifiers must be removed or obscured.
What are the elements of PHI under HIPAA
Identifiability
An excerpt assessing what is considered PHI from Patient Confidentiality, “The privacy rule specifies 18 elements that constitute PHI.[7] These identifiers include demographic and other information relating to an individual's past, present, or future physical or mental health or condition or the provision or payment of health care to an individual.” Information is PHI if it contains any of the 18 identifiers. Even IP addresses or biometric data (e.g., fingerprints) qualify.
Context of use
- Health information: Must relate to past, present, or future health conditions, care provision, or payment.
- Holder of data: Applies only to covered entities (e.g., healthcare providers, insurers) and their business associates. Data held by non-covered entities (e.g., fitness apps) is excluded.
Examples of PHI in case law
Morris v. Rhode Island Quality Institute (2025)
A whistleblower lawsuit alleged that a state Health Information Exchange (HIE) permitted unauthorized PHI use for research without patient consent. The case centers on whether HIEs can share PHI for research under HIPAA’s §164.512(i), which allows such disclosures only with Institutional Review Board (IRB) approval, patient authorization, or data use agreements.
$2.4 million fine for unauthorized press release disclosure (2015)
A health system disclosed a patient’s name in a press release about a police incident. The OCR ruled this a willful HIPAA violation, emphasizing that names-one of the 18 HIPAA identifiers linked to health context, constitute PHI requiring strict safeguards.
$2.15 million penalty for systemic PHI failures (2015)
A health system faced fines after employees sold 24,000 patient records and failed to report breaches. The case reinforced that PHI includes medical record numbers, treatment details, and demographic data stored in EHRs, and institutions must limit access to authorized personnel.
What is not considered PHI?
Certain types of information are explicitly excluded from PHI under HIPAA. Health information that is not individually identifiable-meaning it cannot be linked to a specific person-is not PHI. This includes de-identified health data where all 18 HIPAA identifiers have been removed.
Employee and student health records maintained by employers or educational institutions are generally not PHI, as they fall under other privacy laws like FERPA for education records. Data collected by wearable devices or health and fitness apps that are not maintained by a covered entity are also not considered PHI. Appointment inquiries that include only names and phone numbers without health information do not constitute PHI until the individual becomes a patient.
Health information of individuals deceased for more than 50 years is not considered PHI. Information held by entities not covered by HIPAA, such as some health apps or third-party companies, may not be PHI even if it includes health data.
Related: Balancing Convenience and Privacy with wiBiometric Authenticationion
FAQs
Are there exceptions where PHI identifiers can be shared without consent?
Yes, PHI identifiers can be shared without individual consent under certain circumstances.
How are PHI identifiers used in medical research?
In medical research, PHI identifiers are typically removed or altered to protect patient confidentiality unless the research is conducted with patient consent or under a special waiver approved by an Institutional Review Board (IRB).
How do the safe harbor and other de-identification rules relate to the 18 identifiers?
The HIPAA Safe Harbor method requires the removal of all 18 specific identifiers-such as names, geographic subdivisions smaller than a state, dates related to the individual (except year), phone numbers, and biometric data-from health information to ensure data is considered de-identified and no longer protected under HIPAA. Other de-identification rules, such as the Expert Determination method, allow for statistical analysis to ensure the risk of re-identification is very low, but the Safe Harbor method specifically mandates the elimination of all 18 listed identifiers for compliance.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.