What Are the 18 HIPAA Identifiers: PHI Explained (2024)

One of the critical components of HIPAA is the Privacy Rule, which establishes national standards for safeguarding certain health data. At the heart of this rule are the 18 Protected Health Information (PHI) identifiers, which, when combined with health data, are subject to stringent privacy and security measures.

To comply with HIPAA regulations, healthcare professionals must stay up-to-date on the Privacy Rule and understand the 18 PHI identifiers. By taking the necessary steps to safeguard sensitive information, they can contribute to maintaining patient confidentiality and trust while avoiding potential legal repercussions.

In this article, we’ll cover in-depth why HIPAA identifiers are important, and the 18 HIPAA identifiers you should be aware of to protect your patient’s data.

What are PHI identifiers?

HIPAA, the Health Insurance Portability and Accountability Act, sets standards and rules for healthcare providers and organizations to ensure the privacy and security of patients' health information. Protected Health Information (PHI) refers to identifiable information about an individual's healthcare that is regulated by HIPAA. The 18 HIPAA identifiers are used to classify what is considered relevant PHI.

These identifiers are considered PHI when used in relation to an individual's healthcare. De-identified PHI is information that has been stripped of the identifiers, and at this point, HIPAA rules no longer apply to it. The removal of these identifiers aids in safeguarding patients' privacy while still allowing healthcare providers and researchers to work with relevant information.

What is the Identifiers Rule in HIPAA?

The Identifiers Rule is an important aspect of the Health Insurance Portability and Accountability Act (HIPAA). It establishes specific guidelines for the protection of individuals' health information, focusing on the use of unique identifiers to maintain patient privacy.

One of the main goals of this rule is to promote standardization in healthcare transactions. By using unique identifiers, healthcare providers, insurance companies, and other entities can efficiently exchange information without compromising the privacy and security of patients' personal health information (PHI).

There are two key unique identifiers recognized under HIPAA regulations:

  1. Standard Unique Employer Identifier (EIN) - This is the same as the Employer Identification Number used on an organization's federal IRS Form W-2. The primary purpose of the EIN is to identify an employer entity in HIPAA transactions.

  2. National Provider Identifier (NPI) - The NPI is a 10-digit numeric identifier that is assigned to healthcare providers and organizations. Its main function is to uniquely identify healthcare providers in transactions that are subject to HIPAA regulations.

In addition to the two unique identifiers mentioned above, there are 18 specific HIPAA identifiers for PHI. These identifiers are used to de-identify health information in accordance with the HIPAA Privacy Rule. Some examples of these identifiers are patient names, geographical elements like street addresses and zip codes, and dates directly related to the individual.

Why are these HIPAA 18 identifiers important?

The 18 HIPAA identifiers serve as a crucial foundation for ensuring the privacy and security of patients' Protected Health Information (PHI) within the healthcare industry. These identifiers are essential for healthcare organizations to understand exactly what constitutes PHI and the specific information they are obliged to safeguard.

First and foremost, the HIPAA 18 identifiers ensure compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations, which are designed to protect individuals' medical records and other personal health information. By clearly defining the 18 identifiers, healthcare organizations can develop and implement policies, practices, and systems that effectively safeguard PHI.

Second, the HIPAA 18 identifiers promote trust between patients and healthcare providers. By protecting individuals' health information, healthcare organizations demonstrate their commitment to maintaining patient confidentiality. This trust is vital for encouraging patients to seek timely and appropriate medical care, and for fostering open, honest communication between patients and healthcare professionals.

Furthermore, proper management of the HIPAA 18 identifiers is necessary to minimize the risk of breaches and data misuse. Unauthorized access, disclosure, or use of PHI can have wide-ranging consequences, including financial penalties, reputational damage, and even regulatory actions against the healthcare organization. By understanding and adhering to the 18 HIPAA identifiers, healthcare organizations can mitigate these risks and maintain the integrity of the data they handle.

What are the 18 HIPAA identifiers? The full list of PHI elements

1. Names

Names refer to a patient's full name, including first, middle, and last names. This identifier ensures that patients' personal identities are protected.

2. Geographic subdivisions smaller than a state

This includes street addresses, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if certain conditions are met.

3. All elements of dates (except year)

This category covers all elements of dates, such as birthdate, admission date, and discharge date, with the exception of the year. Data for individuals aged 89 years or older may also fall under this identifier.

4. Telephone numbers

Phone numbers, both landline and mobile, are considered identifiers that need protection.

5. Fax numbers

Like telephone numbers, fax numbers also fall under the HIPAA identifiers list.

6. Electronic mail addresses

Email addresses are classified as identifiers to safeguard the privacy of patients' communication with healthcare providers.

7. Social security numbers

SSNs serve as unique identifiers for US residents and fall under the list of protected identifiers under HIPAA.

8. Medical record numbers

The unique numbers assigned to each patient and their medical records must be protected, as they can be used to identify individuals.

9. Health plan beneficiary numbers

Patients' health plan beneficiary numbers are protected to maintain their confidentiality.

10. Account numbers

Financial account numbers, such as those for billing purposes, are considered identifiers and subject to HIPAA protection.

11. Certificate/license numbers

Professional certificates or license numbers, like medical licenses or drivers' licenses, are also protected identifiers.

12. Vehicle identifiers and serial numbers

Vehicle-related information, including license plate numbers and vehicle identification numbers (VINs), are considered sensitive information.

13. Device identifiers and serial numbers

Serial numbers of medical devices (e.g., pacemakers) and other gadgets are protected to ensure patient privacy.

14. Web Universal Resource Locators (URLs)

URLs that may link to patients' profiles or healthcare-related websites are considered sensitive data.

15. Internet Protocol (IP) address numbers

IP addresses, related to individuals' internet connections, are also part of the HIPAA identifier list.

16. Biometric identifiers

Examples of biometric identifiers include fingerprints and voiceprints, which are unique to individuals and must be protected.

17. Full face photographic images

Photos containing full-face images of patients, or comparable images, fall under the list of protected identifiers.

18. Any other unique identifying number

Besides the above-listed identifiers, any other unique identifying numbers, characteristics, or codes must also be protected under HIPAA.


The list of HIPAA identifiers includes specific information that must be removed from health records to maintain patient privacy in compliance with the Health Insurance Portability and Accountability Act (HIPAA). De-identification techniques involve the removal of such sensitive information, making health data safer for use in research and other purposes.

When working with health data, adhering to the HIPAA Privacy Rule is crucial to protect patient confidentiality and to avoid potential legal consequences.


Is age considered PHI?

Age is considered as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) if it can be used to identify an individual. If the age is presented as part of a specific individual's health information, it is considered PHI. However, if the age is presented in a de-identified or aggregated form, it may not be considered PHI as long as there is no possibility of identifying the individual. More information about HIPAA regulations can be found on the HHS.gov.

Is the zip code PHI?

The zip code is also considered PHI under HIPAA, as it can be used to specifically identify an individual. However, when using zip codes for research purposes or marketing, HIPAA allows the use of the first three digits of the zip code, as long as the geographical unit formed by combining all the zip codes with the same three initial digits contains more than 20,000 people. This helps with protecting the patient's privacy while still allowing for essential data use. 

What is not a direct patient identifier?

Direct patient identifiers are specific pieces of information that can be used to identify an individual directly, making the information PHI under HIPAA. Examples of direct patient identifiers include name, Social Security number, and phone number. However, there are some types of information that are not direct patient identifiers:

  • De-identified data: When data is de-identified, it can no longer be used to directly identify an individual. De-identified data may include aggregated patient data or data that has been stripped of all direct identifiers.

  • Anonymized data: Data that has been anonymized means that it has gone through a process to remove any direct patient identifiers. The process of anonymization is more stringent than de-identification, as it aims to ensure that the data cannot be used to re-identify an individual, even through advanced statistical or analytical techniques.

  • Pseudonymized data: Pseudonymized data is when a unique identifier (pseudonym) replaces the direct patient identifiers, allowing the data to be used and analyzed without being directly linked to an individual. However, a third party holds the key to link the pseudonym back to the individual if necessary.

It is important to ensure that information used in research, marketing, or other activities where patient privacy must be protected does not contain direct patient identifiers.

Start automating your
healthcare workflows

Free trial account
Cancel anytime
Get started free