What are the 18 PHI identifiers?

The 18 PHI identifiers are specific information that can be used to identify an individual in the context of their health records. These identifiers cover a broad range of personal and demographic details.

What are the PHI identifiers?

According to HHS guidance providing the information that needs to be deidentified, “Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI… If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.”

HIPAA provides two ways of determining if information is individually identifiable health information. The first is the Expert Determination method, where an expert with knowledge of statistical and scientific principles evaluates the information to determine that the risk of identification is very low, documenting the analysis and outcomes to justify this determination. 

The second is the Safe Harbour method where we can find the 18 PHI identifiers as we know it. These identifiers include data points like names, and email addresses, among others. By systematically removing or adequately protecting these identifiers, healthcare providers, insurers, and other covered entities make sure that health information used for research, operations, or other secondary purposes remains anonymous.  

Related: What is protected health information (PHI)?

The 18 PHIidentifiers

The identifiers under Section 164.514 (b)(2): 

1. Names
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:

• The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
• The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000

1. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
2. Telephone numbers
3. Vehicle identifiers and serial numbers, including license plate numbers
4. Fax numbers
5. Device identifiers and serial numbers
6. Email addresses
7. Web Universal Resource Locators (URLs)
8. Social security numbers
9. Internet Protocol (IP) addresses
10. Medical record numbers
11. Biometric identifiers, including finger and voice prints
12. Health plan beneficiary numbers
13. Full-face photographs and any comparable images
14. Account numbers
15. Any other unique identifying number, characteristic, or code
16. Certificate/license numbers

1. Patient names 

When used alongside information such as the patient's mental or physical health treatment or diagnosis, patient names must be secured during transmission and storage. 

2. Geographical elements

Geographical elements include street addresses, cities, counties, and zip codes. This data relates to the ability to contact as well as identify the patient and must be adequately secured. 

3. Dates related to the health or identity of individuals 

This information includes admission or discharge date, birthdate, death date, and age-indicative dates. 

4. Telephone numbers

Telephone numbers are considered PHI and require protective measures to prevent unauthorized access or interception. 

5. Fax numbers

Similar to a telephone number, fax numbers are considered PHI. 

6. Email addresses

Email addresses can be linked to individuals and associated with a patient's health information. Beyond ensuring HIPAA compliant email, protecting email addresses helps ensure that patient communications remain secure and confidential, reducing the risk of interception or unauthorized access to sensitive information.

7. Social Security numbers

A social security number is a numerical identifier assigned to U.S. citizens and other residents to track income and determine benefits. 

8. Medical record numbers

Medical record numbers are unique identifiers assigned to individuals' health records. Unauthorized access or disclosure of medical record notes can expose sensitive health details, compromising patient confidentiality.

9. Health insurance beneficiary numbers

Health insurance beneficiary numbers, similar to medical records, help identify the health insurance holders and therefore pose the risk of compromising patient privacy and could lead to identity theft or fraud. Furthermore, these numbers could be used to steal healthcare benefits. 

10. Account numbers

An account number, a unique digit set identifying your bank account, must be securely maintained to safeguard patients' financial information used for medical payments. This security is crucial to prevent potential financial fraud.

11. Certificate/license numbers

Certificate or license numbers serve as a form of authentication and verification in various contexts. They can be used to confirm an individual's professional qualifications, credentials, or legal permissions. When combined with other personal information, it can potentially be exploited by identity thieves, similar to social security or medical record numbers. Unauthorized access to these numbers could lead to identity theft.

12. Vehicle identifiers

When combined with other personal information, identity thieves can exploit vehicle identifiers.

13. Device attributes or serial numbers

Device attributes or serial numbers are identifiers tied to electronic devices like smartphones, tablets, or medical devices. These are often interacted with by healthcare providers during the delivery of healthcare services.

14. Digital identifiers, including some URLs

Some URLs to web pages or online resources are often used by healthcare providers for numerous purposes, such as patient education or appointment scheduling. Securing these URLs and other digital identifiers bolsters the security of online platforms, prevents unauthorized access, and upholds the confidentiality of patient data.

15. IP addresses

An IP address is a numerical label assigned to each device connected to a computer network. It serves as a unique identifier for routing data packets across the internet. IP addresses can provide information about the general location or network from which a device is accessing a website or online service.

16. Biometric elements, including finger, retinal, and voiceprints

Biometric information is unique to an individual and can be used to identify or authenticate their identity. As such, it falls within the scope of PHI and is subject to HIPAA's privacy and security requirements.

Related: Balancing Convenience and Privacy with biometric authentication

17. Photographs of a patient's face

These images, which capture an individual's facial features and identity, fall within the scope of PHI as they can uniquely identify a patient. Full face photographic images can provide precise and identifiable information about an individual's appearance, making them fall under the category of PHI.

18. Other identifying numbers or codes 

Under HIPAA, other identifying numbers or codes refer to any unique identifiers or codes that can be used to identify an individual. These identifiers may not fall into the specific categories mentioned earlier, but they are still considered PHI if they can be used to identify an individual.

The use of the 18 identifiers 

When sharing data in a manner that doesn't align with the Privacy Rule, it's essential to deidentify all of the identifiers mentioned earlier before disclosure. This additional step ensures an added layer of protection for patient information.

In addition to the safeguards and privacy requirements outlined in the Security and Privacy Rule, healthcare professionals are bound by the Minimum Necessary Rule. This rule ensures that only the minimum amount of information necessary is used, shared, and disclosed, protecting patient privacy and reducing the risk of unauthorized access.

By adhering to the Minimum Necessary Rule and deidentifying data as required, healthcare professionals can maintain a high level of confidentiality while fulfilling their duty to provide effective and efficient healthcare services.

FAQs

Are there exceptions where PHI identifiers can be shared without consent?

Yes, PHI identifiers can be shared without individual consent under certain circumstances.

How are PHI identifiers used in medical research?

In medical research, PHI identifiers are typically removed or altered to protect patient confidentiality unless the research is conducted with patient consent or under a special waiver approved by an Institutional Review Board (IRB).