top of page

Understanding Protected Health Information and the 18 Identifiers That Define It

  • Invenio Labs
  • 5 days ago
  • 3 min read
Close-up view of a medical record folder with patient information
Medical record folder showing patient details

Healthcare providers, IT professionals, and clinic owners face constant challenges in protecting patient data. One critical concept in this effort is Protected Health Information, or PHI. Knowing exactly what qualifies as PHI is essential for compliance with HIPAA regulations and for passing audits that assess data security. This post explains what Individually Identifiable Health Information is, how it differs from PHI, and details the 18 specific identifiers that make health information protected.


What Is Individually Identifiable Health Information?


Individually Identifiable Health Information refers to any data related to a person's physical or mental health, healthcare services, or payment for healthcare that can be linked to that individual. This information can be in any form: electronic, paper, or oral.


For example, a doctor’s notes about a patient’s diagnosis or a billing statement with treatment details are individually identifiable if they include information that reveals who the patient is.


How PHI Differs from Individually Identifiable Health Information


PHI is a subset of Individually Identifiable Health Information. It specifically refers to health information that is held or transmitted by a covered entity or its business associate and that relates to:


  • The individual’s past, present, or future physical or mental health condition

  • The provision of healthcare to the individual

  • The past, present, or future payment for healthcare


The key difference is that PHI is protected under HIPAA regulations when it is created, received, maintained, or transmitted by covered entities such as healthcare providers, health plans, or healthcare clearinghouses.


In contrast, individually identifiable health information that is not held by these entities or their associates may not be considered PHI under HIPAA.


The 18 Identifiers That Make Information PHI


The Health Insurance Portability and Accountability Act (HIPAA) defines 18 specific identifiers that, when linked to health information, classify it as PHI. Removing or masking these identifiers is essential for de-identifying data to protect patient privacy.


Here are the 18 identifiers:


  1. Names

    Full names or initials of the individual.


  2. All geographical subdivisions smaller than a state

    Includes street address, city, county, precinct, ZIP code (except the initial three digits under certain conditions).


  3. All elements of dates (except year) related to an individual

    Birth date, admission date, discharge date, date of death, and all ages over 89.


  4. Telephone numbers

    Home, mobile, or work phone numbers.


  5. Fax numbers


  6. Email addresses


  7. Social Security numbers


  8. Medical record numbers


  9. Health plan beneficiary numbers


10. Account numbers


11. Certificate/license numbers


12. Vehicle identifiers and serial numbers, including license plate numbers


13. Device identifiers and serial numbers


14. Web URLs


15. Internet Protocol (IP) addresses


16. Biometric identifiers

Fingerprints, voiceprints, retina scans.


17. Full-face photographs and any comparable images


18. Any other unique identifying number, characteristic, or code

This includes any data that could uniquely identify an individual.


Why These Identifiers Matter


Each of these identifiers can directly or indirectly reveal the identity of a patient. For example, a medical record number alone might not identify someone outside a hospital, but combined with a date of birth and ZIP code, it becomes easier to pinpoint the individual.


Healthcare organizations must carefully manage these identifiers to avoid unauthorized disclosures. During HIPAA audits, examiners often check how well these identifiers are protected or removed when sharing data.


Eye-level view of a computer screen displaying a HIPAA compliance checklist
Computer screen showing HIPAA compliance checklist

Practical Examples of PHI in Healthcare Settings


  • A clinic’s electronic health record system stores patient names, dates of birth, and treatment details. This data is PHI and must be encrypted and access-controlled.

  • A billing department sends invoices that include patient names, addresses, and health plan numbers. These invoices contain PHI and require secure transmission.

  • A researcher receives a dataset with all 18 identifiers removed except for the year of birth. This dataset is considered de-identified and not PHI.


Protecting PHI During Audits and Daily Operations


Healthcare providers and IT staff must implement strong safeguards to protect PHI. This includes:


  • Limiting access to PHI only to authorized personnel

  • Using encryption for electronic PHI (ePHI)

  • Training staff on HIPAA rules and the importance of protecting identifiers

  • Regularly reviewing systems and processes during audits to ensure compliance


Auditors will look for evidence that these identifiers are handled correctly and that policies are in place to prevent breaches.


High angle view of a secure server room with network equipment
Secure server room with network equipment protecting patient data

Summary


Understanding what qualifies as PHI is crucial for healthcare providers, IT professionals, and clinic owners. PHI is a specific type of individually identifiable health information protected under HIPAA when held by covered entities. The 18 identifiers defined by HIPAA are the key to recognizing and safeguarding PHI.


By knowing these identifiers and applying strong security measures, organizations can protect patient privacy, comply with HIPAA, and pass audits with confidence. The next step is to review your current data handling practices and ensure all PHI is properly secured and managed.


 
 
bottom of page