The 18 PHI identifiers are the specific categories of identifiers that must be removed under the HIPAA Privacy Rule safe harbor de-identification standard, and they are names; geographic subdivisions smaller than a state with limited ZIP code handling; all elements of dates related to an individual other than year with a special rule for ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle identifiers and serial numbers including license plate numbers; device identifiers and serial numbers; web Uniform Resource Locators; Internet Protocol addresses; biometric identifiers including finger and voice prints; full face photographic images and comparable images; and any other unique identifying number, characteristic, or code.
These identifiers are often referred to as the HIPAA safe harbor identifiers because they appear in the de-identification provision of the HIPAA Privacy Rule. When these identifiers are removed and the covered entity or business associate has no actual knowledge that the remaining information could be used to identify an individual, the remaining information can qualify as de-identified under the safe harbor method. The list is not a complete definition of protected health information, and the presence or absence of a single identifier does not determine HIPAA status without considering whether the information is individually identifiable health information held by a HIPAA Covered Entity or Business Associate.
The first category is the individual’s name. The second category is geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code, with a permitted approach to retaining the initial three digits of the ZIP code only when the related geographic unit has a sufficiently large population and the covered entity applies the required suppression for smaller populations. The third category is all elements of dates, except year, that relate to an individual, including birth date, admission date, discharge date, and date of death, and all ages over 89 and elements of dates that indicate such age, unless the information is aggregated into a single 90 or older category.
The next identifiers are contact numbers and electronic contact points used to reach an individual. These include telephone numbers, fax numbers, and email addresses. The list also includes government or program numbers that directly identify an individual, including Social Security numbers, medical record numbers, and health plan beneficiary numbers.
The list includes financial and credentialing identifiers that can point to a single person. These include account numbers and certificate or license numbers. The list also includes identifiers tied to vehicles and devices, including vehicle identifiers and serial numbers, license plate numbers, and device identifiers and serial numbers.
The list includes network identifiers and online location identifiers that can be used to identify or trace an individual. These include web Uniform Resource Locators and Internet Protocol addresses. The list includes biometric identifiers used for identification, including finger prints and voice prints. The list includes full face photographic images and any comparable images that allow recognition.
The final category covers any other unique identifying number, characteristic, or code, subject to the HIPAA Privacy Rule de-identification conditions, including restrictions on re-identification codes that are derived from identifying information or that permit identification of the individual.