The 18 PHI identifiers under HIPAA are names, geographic data smaller than a state, dates (except year), phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photos, and unique codes or characteristics. The 18 specific identifiers are explicitly named as personal data points that must be protected or removed to de-identify information. However, these 18 identifiers are not a comprehensive list; other types of information can also be considered PHI when they are tied to health data. Below is a detailed overview of the 18 identifiers and examples of other types of PHI.
Full List of 18 PHI Identifiers Under HIPAA
- Names: Full names, initials, and nicknames associated with an individual.
- Geographic Subdivisions: Data smaller than a state, including city, county, street address, and most ZIP codes (unless the ZIP code covers a population of 20,000 or more).
- Dates: Birthdates, admission dates, discharge dates, and death dates (except for the year). For individuals over 89, even the year is considered identifiable unless aggregated.
- Phone Numbers: Personal, home, mobile, or work phone numbers.
- Fax Numbers: Fax numbers that can identify an individual.
- Email Addresses: Any email address linked to a specific person.
- Social Security Numbers (SSNs): Full or partial Social Security numbers.
- Medical Record Numbers: Unique numbers assigned to a patient’s medical records.
- Health Plan Beneficiary Numbers: Identifiers linked to health insurance accounts or benefits.
- Account Numbers: Bank account details or other financial accounts.
- Certificate/License Numbers: Professional, medical, or other licenses associated with the individual.
- Vehicle Identifiers: License plate numbers, vehicle registration details, and VINs.
- Device Identifiers: Serial numbers or identifiers of medical or personal devices.
- Web URLs: Website addresses tied to a specific individual.
- IP Addresses: Unique IP addresses of devices used by the individual.
- Biometric Identifiers: Fingerprints, voiceprints, retinal scans, and facial geometry.
- Full-Face Photographic Images: Photographs that reveal the entire face or comparable visual features.
- Unique Codes: Any unique identifying characteristic or code assigned to an individual.
Examples of Other Types of PHI
While HIPAA specifies the 18 identifiers for de-identification, other types of data can also qualify as PHI if combined with health-related information. Below are 30 common examples of data points that may be considered PHI when they are linked to an individual’s healthcare:
- Gender combined with a rare disease.
- Marital status and healthcare history.
- Job title and a diagnosis.
- Genetic test results not categorized under biometric identifiers.
- Insurance claim history.
- Prescription details tied to a patient.
- Treatment plans.
- Clinical visit summaries.
- Emergency contact information.
- Caregiver names and roles.
- Medication dosages.
- Imaging results like X-rays or MRIs.
- Pathology slides or reports.
- Discharge summaries.
- Laboratory test results (e.g., blood work, urine tests).
- Mental health therapy notes.
- Surgical records.
- Allergy information.
- Immunization history.
- Hospital admission records.
- Billing or payment information tied to healthcare.
- Rehabilitation progress notes.
- Risk assessment scores.
- Nutritional consultation details.
- Medical appointment calendars.
- Patient-reported symptoms.
- Ancestry details linked to health conditions.
- Family medical histories.
- Remote monitoring data from wearable devices.
- Data collected from patient satisfaction surveys.
These examples show the breadth of data that can qualify as PHI, even if they do not fall under the formal list of 18 HIPAA identifiers. HIPAA’s strict guidelines ensure that any information capable of identifying a patient is adequately safeguarded. The 18 identifiers provide a foundation for de-identifying health data, but the broader context of healthcare requires vigilance in handling any information tied to an individual’s medical records. By understanding the full scope of PHI, organizations can implement better safeguards, avoid breaches, and ensure compliance with regulatory standards.