HIPAA does not protect all health data. It protects health data that can be tied back to a specific person. The dividing line is a set of 18 HIPAA identifiers defined in the Privacy Rule at 45 CFR §164.514(b)(2). If health information contains any one of these 18 data elements, it qualifies as protected health information and every HIPAA safeguard applies.
This guide lists all 18 identifiers, explains what each one covers in practice, and shows you how to handle them.
Complete List of the 18 HIPAA Identifiers With Examples
The 18 HIPAA identifiers fall into a few natural categories: personal identity, dates and geography, contact information, government-issued numbers, and technical or biometric data. Below is each identifier as defined in the Safe Harbor de-identification standard, with real examples of how each one shows up in healthcare operations.
1. Names
Any name that identifies the individual. This includes first name, last name, maiden name, nickname, and initials when combined with other data. A patient intake form with "Maria Torres" attached to a diagnosis is PHI. An appointment reminder that says "M.T. - cardiology follow-up" is still PHI if someone in the office can connect those initials to a patient.
2. Geographic Data Smaller Than a State
Street address, city, county, ZIP code, and equivalent geocodes. HIPAA allows the first three digits of a ZIP code only if the geographic unit contains more than 20,000 people. If your billing system exports full addresses alongside diagnosis codes, every record in that export is PHI. A referral letter that includes "patient resides at 4200 Oak Lane, Suite B" converts the clinical information in that letter into PHI.
3. Dates Related to an Individual
Birth date, admission date, discharge date, date of death, and all ages over 89. You can use the year, but not the month or day, for most de-identification purposes. Ages 90 and above must be aggregated into a single "90+" category. A discharge summary dated "January 14, 2026" tied to a diagnosis is PHI. A research dataset that lists exact birth dates alongside treatment codes has not been de-identified.
4. Telephone Numbers
Any phone number associated with the individual, including home, mobile, and work numbers. A call log at the front desk that says "Called 631-555-0188 re: lab results" is PHI because the phone number can identify the patient. Voicemail messages that reference a patient's condition and callback number create PHI the moment they are recorded.
5. Fax Numbers
Still common in healthcare. A fax cover sheet that includes the recipient's fax number and references a patient's treatment creates PHI on both the sending and receiving end. Misdirected faxes are one of the most common breach categories reported to OCR.
6. Email Addresses
Any email tied to the individual. An unencrypted email from a provider to a patient at jane.doe@email.com discussing test results is PHI in transit and at rest. Automated appointment confirmations sent to patient email addresses also qualify.
7. Social Security Numbers
Full or partial SSNs. Healthcare organizations frequently collect SSNs during insurance enrollment and billing. If your EHR stores SSNs alongside clinical records, a breach of that system exposes both identity and health data, which is why OCR treats SSN exposure in healthcare settings as a HIPAA breach, not just an identity theft event.
8. Medical Record Numbers
Internal identifiers assigned by the covered entity. An MRN like "MR-20260045" is meaningless outside your organization, but inside it, that number connects to every diagnosis, procedure, and note on file. Exporting MRNs in a research dataset without stripping them fails the Safe Harbor standard.
9. Health Plan Beneficiary Numbers
Insurance member IDs, Medicaid numbers, and Medicare beneficiary identifiers. A claims file that lists a beneficiary number alongside a procedure code is PHI. These numbers are issued by the health plan and can be used to identify the individual across providers.
10. Account Numbers
Any financial account number connected to the individual's healthcare, including billing account numbers, patient portal account IDs, and payment processing references. A billing statement mailed to the wrong address that shows account number and services rendered is a reportable breach.
11. Certificate and License Numbers
Driver's license numbers, professional license numbers, and state ID numbers collected during patient registration. Many practices photocopy a driver's license at check-in. That copy, stored alongside clinical records, is PHI.
12. Vehicle Identifiers and Serial Numbers
VINs, license plate numbers, and vehicle descriptions. This identifier matters most in emergency and trauma settings. An ER record that says "patient arrived via ambulance, vehicle plate ABC-1234 involved in collision" links the vehicle to the individual's health event.
13. Device Identifiers and Serial Numbers
Serial numbers on medical devices such as pacemakers, insulin pumps, CPAP machines, and prosthetics. Device recall notices that include a patient-linked serial number are PHI. If your inventory system tracks which device serial went to which patient, that mapping is PHI.
14. Web URLs
Any URL that identifies the individual. A patient portal URL like portal.example.com/patient/12345 is PHI. URL tracking parameters in appointment confirmation emails that can be traced back to a specific patient also qualify.
15. IP Addresses
An IP address logged alongside a patient's portal activity, telehealth session, or online form submission is PHI. This is the identifier most organizations overlook. If your website analytics tool captures IP addresses on pages where patients enter health information, you may be creating PHI in a system with no BAA. OCR's 2022 bulletin on online tracking technologies specifically addressed this risk.
16. Biometric Identifiers
Fingerprints, retinal scans, voiceprints, and facial geometry. Biometric data used for patient identification at check-in kiosks or employee access to medication dispensing systems creates PHI when linked to health records. Unlike passwords, biometric data cannot be changed after a breach.
17. Full-Face Photographs and Comparable Images
Any photograph or image that shows identifying facial features. Clinical photographs taken during dermatology visits, surgical documentation, or wound care assessments are PHI. A "before and after" photo posted to a practice's social media page without written patient authorization is a HIPAA violation even if the patient's name is not included, because the face itself is the identifier.
18. Any Other Unique Identifying Number or Code
This is the catch-all. Any characteristic or code that could identify an individual, including employee ID numbers used in occupational health records, research subject IDs that can be cross-referenced to identity, or internal tracking codes mapped to patients. If a reasonable person could use the number to identify someone, it qualifies.
Why the 18 HIPAA Identifiers Matter for Your Practice
These identifiers are not an academic list. They define the boundary between data you can share freely and data that triggers every HIPAA obligation: access controls, encryption, audit logging, breach notification, and business associate agreements with every vendor that touches it.
The consequences are concrete. OCR has settled cases involving improper disclosure of as few as one identifier combined with health data. In 2024, OCR settled with multiple covered entities for failures to protect PHI containing these identifiers, with penalties ranging from tens of thousands to millions of dollars.
The practical question is not whether your organization collects these identifiers. You do. The question is whether you know where all 18 appear in your systems and whether each location has appropriate safeguards.
How to Protect the 18 HIPAA Identifiers in Your Organization
Protecting these identifiers starts with knowing where they live. Most healthcare organizations store identifiers across more EHR fields, spreadsheets, email threads, and paper forms than they realize.
- Map every system that stores patient data. This includes your EHR, billing platform, scheduling software, email, fax, cloud storage, paper files, and any vendor portals. For each system, document which of the 18 identifiers it contains.
- Verify BAAs are in place for every vendor. If a cloud storage provider, billing clearinghouse, or IT support company can access systems containing any of the 18 identifiers, you need a business associate agreement with them. No BAA means no legal protection when a breach occurs.
- Apply access controls based on role. Front desk staff need scheduling data. They do not need access to clinical notes. Billing staff need insurance identifiers. They do not need radiology images. Role-based access limits how many identifiers any single user can reach.
- Encrypt data at rest and in transit. Encryption is an addressable safeguard under the Security Rule, but OCR treats unencrypted PHI as a de facto violation when a breach occurs. If a laptop with unencrypted patient records is stolen, every identifier on that device is exposed and reportable.
- Train staff on what counts as an identifier. Most staff understand that names and SSNs are sensitive. Fewer realize that an IP address, a ZIP code, or a device serial number can make health data into PHI. HIPAA training should include concrete examples of all 18 identifiers.
- Run a security risk assessment. A security risk assessment is required by the Security Rule at 45 CFR §164.308(a)(1)(ii)(A). This is where you identify gaps in how your organization handles identifiers, including systems that store them without adequate safeguards.
De-Identification: Removing the 18 Identifiers
HIPAA provides two paths to de-identify health data so it no longer qualifies as PHI:
Safe Harbor (45 CFR §164.514(b)(2)): Remove all 18 identifiers and confirm that the remaining data cannot reasonably identify an individual. This is the method most organizations use because it is prescriptive. If you strip every identifier on the list, the data is considered de-identified.
Expert Determination (45 CFR §164.514(b)(1)): A qualified statistical expert certifies that the risk of re-identification is "very small." This method is used primarily in research settings and requires documented methodology.
For a deeper breakdown of both methods, including common mistakes, see our guide to HIPAA de-identification requirements.
FAQs About the 18 HIPAA Identifiers
Is a ZIP code considered PHI under HIPAA?
A ZIP code alone is not PHI. But a ZIP code combined with any health information, such as a diagnosis, treatment, or provider visit, becomes PHI because geographic data smaller than a state is one of the 18 HIPAA identifiers. The Safe Harbor method allows only the first three digits of a ZIP code, and only if the area has more than 20,000 residents.
Does HIPAA consider an IP address to be PHI?
Yes, when linked to health information. An IP address logged during a telehealth session, patient portal login, or online health form submission qualifies as PHI. OCR's 2022 guidance on online tracking technologies confirmed that analytics tools capturing IP addresses on healthcare websites may be creating PHI without a business associate agreement in place.
What happens if only one identifier is attached to health data?
One identifier is enough. If a single data element from the list of 18 is combined with health information, the record is PHI and HIPAA applies in full. There is no threshold requiring multiple identifiers.
Can I use patient data for research without removing all 18 identifiers?
You can if you obtain a valid HIPAA authorization from the patient, or if an Institutional Review Board or Privacy Board grants a waiver. Otherwise, the data must be de-identified using either the Safe Harbor or Expert Determination method before it can be used for research without authorization.
Are employee health records subject to the 18 HIPAA identifiers?
It depends on context. Employee health records maintained by a covered entity acting as a healthcare provider, such as an employee wellness clinic, are protected by HIPAA. Employment records held by the employer in its capacity as an employer are generally not covered by HIPAA, though they may be covered by other laws like the ADA.
How often should we audit where the 18 identifiers are stored?
At least annually as part of your security risk assessment, and whenever you add a new system, vendor, or workflow that handles patient data. New tools, from scheduling apps to AI transcription services, can introduce new locations where identifiers are stored without your compliance team knowing about it.
Conclusion
The 18 HIPAA identifiers are the line between health data and protected health information. Every HIPAA obligation, from encryption to breach notification, flows from whether your data contains one or more of these identifiers. Knowing the list is the starting point. Knowing where each identifier lives in your systems and whether it is adequately protected is where compliance actually happens.
One Guy Consulting helps healthcare organizations map their PHI exposure, close gaps, and build safeguards that hold up under an OCR investigation. Schedule a free HIPAA checkup to find out where your practice stands.
Sources
- 45 CFR §164.514 - Other requirements relating to uses and disclosures of PHI
- HHS Guidance on De-identification of PHI
- OCR Bulletin on Online Tracking Technologies (2022)
- HHS OCR Resolution Agreements and Civil Money Penalties
- HIPAA Security Rule