HIPAA's Privacy Rule defines protected health information as any individually identifiable health information, including demographic data, that relates to an individual's past, present, or future physical or mental health condition, provision of healthcare, or payment for healthcare.
The 18 PHI identifiers are the personally identifiable details relating to a patient set out by the HIPAA's Privacy rule. When used along with information such as the details of the patient's mental and physical health, any identifier could be considered protected health information (PHI).
Related: What is protected health information (PHI)?
The 18 PHI identifiers
- Patient names
- Geographical elements
- Dates related to the health or identity of individuals
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Photographs of a patient's face
- Other identifying numbers or codes
1. Patient names
When used alongside information such as the patient's mental or physical health treatment or diagnosis, patient names must be secured during transmission and storage.
2. Geographical elements
Geographical elements include street addresses, cities, counties, and zip codes. This data relates to the ability to contact as well as identify the patient and must be adequately secured.
3. Dates related to the health or identity of individuals
This information includes admission or discharge date, birthdate, death date, and age-indicative dates.
4. Telephone numbers
Telephone numbers are considered PHI and require protective measures to prevent unauthorized access or interception.
5. Fax numbers
Similar to a telephone number, fax numbers are considered PHI.
6. Email addresses
Email addresses can be linked to individuals and associated with a patient's health information. Beyond ensuring HIPAA compliant email, protecting email addresses helps ensure that patient communications remain secure and confidential, reducing the risk of interception or unauthorized access to sensitive information.
7. Social Security numbers
A social security number is a numerical identifier assigned to U.S. citizens and other residents to track income and determine benefits.
8. Medical record numbers
Medical record numbers are unique identifiers assigned to individuals' health records. Unauthorized access or disclosure of medical record notes can expose sensitive health details, compromising patient confidentiality.
9. Health insurance beneficiary numbers
Health insurance beneficiary numbers, similar to medical records, help identify the health insurance holders and therefore pose the risk of compromising patient privacy and could lead to identity theft or fraud. Furthermore, these numbers could be used to steal healthcare benefits.
10. Account numbers
An account number, a unique digit set identifying your bank account, must be securely maintained to safeguard patients' financial information used for medical payments. This security is crucial to prevent potential financial fraud.
11. Certificate/license numbers
Certificate or license numbers serve as a form of authentication and verification in various contexts. They can be used to confirm an individual's professional qualifications, credentials, or legal permissions. When combined with other personal information, it can potentially be exploited by identity thieves, similar to social security or medical record numbers. Unauthorized access to these numbers could lead to identity theft.
12. Vehicle identifiers
When combined with other personal information, identity thieves can exploit vehicle identifiers.
13. Device attributes or serial numbers
Device attributes or serial numbers are identifiers tied to electronic devices like smartphones, tablets, or medical devices. These are often interacted with by healthcare providers during the delivery of healthcare services.
14. Digital identifiers, including some URLs
Some URLs to web pages or online resources are often used by healthcare providers for numerous purposes, such as patient education or appointment scheduling. Securing these URLs and other digital identifiers bolsters the security of online platforms, prevents unauthorized access, and upholds the confidentiality of patient data.
15. IP addresses
An IP address is a numerical label assigned to each device connected to a computer network. It serves as a unique identifier for routing data packets across the internet. IP addresses can provide information about the general location or network from which a device is accessing a website or online service.
16. Biometric elements, including finger, retinal, and voiceprints
Biometric information is unique to an individual and can be used to identify or authenticate their identity. As such, it falls within the scope of PHI and is subject to HIPAA's privacy and security requirements.
Related: Balancing Convenience and Privacy with biometric authentication
17. Photographs of a patient's face
These images, which capture an individual's facial features and identity, fall within the scope of PHI as they can uniquely identify a patient. Full face photographic images can provide precise and identifiable information about an individual's appearance, making them fall under the category of PHI.
18. Other identifying numbers or codes
Under HIPAA, other identifying numbers or codes refer to any unique identifiers or codes that can be used to identify an individual. These identifiers may not fall into the specific categories mentioned earlier, but they are still considered PHI if they can be used to identify an individual.
The use of the 18 identifiers
When sharing data in a manner that doesn't align with the Privacy Rule, it's essential to deidentify all of the identifiers mentioned earlier before disclosure. This additional step ensures an added layer of protection for patient information.
In addition to the safeguards and privacy requirements outlined in the Security and Privacy Rule, healthcare professionals are bound by the Minimum Necessary Rule. This rule ensures that only the minimum amount of information necessary is used, shared, and disclosed, protecting patient privacy and reducing the risk of unauthorized access.
By adhering to the Minimum Necessary Rule and deidentifying data as required, healthcare professionals can maintain a high level of confidentiality while fulfilling their duty to provide effective and efficient healthcare services.