Blog

18 HIPAA Identifiers: What They Are & Why Knowing Them Matters

Between 2017 and 2021, complaints about HIPAA violations increased by 39%, and significant breaches reported increased by 58%. 

There are several reasons why HIPAA violations continue to increase, including covered entities and internal employees not knowing the full extent of the HIPAA Privacy Rule and its mandatory protection of PHI. 

The 18 HIPAA identifiers are essential to know and understand so that covered entities can effectively train staff to avoid compliance violations and conduct regular risk assessments to ensure no sensitive information is vulnerable. 

Read on to gain an understanding of PHI, the HIPAA identifiers, and practical next steps covered entities can take to protect themselves from incidents and remain HIPAA compliant.

What is Considered PHI?

The HIPAA Privacy Rule, enacted in August 1996, established national standards for protecting certain health information. Any medical information that can be used to identify an individual patient is protected under the Rule and is referred to as protected health information (PHI) or, if transmitted electronically, electronic protected health information (ePHI).  

The 18 HIPAA identifiers are used to understand what falls under the umbrella of PHI. If any of these 18 identifiers are present in a document in conjunction with one’s health, healthcare, or payment for healthcare, then it is considered PHI that entities cannot release without patient authorization.   

The 18 PHI Identifiers

Any records containing one or more of the 18 HIPAA identifiers must be confidential, have integrity, and be accessible to the relevant individual upon request. The identifiers are as follows:

The 3 Key HIPAA Players

1. Patient Name(s)

A patient’s first and last name, in conjunction with health records, is considered PHI. It is worth noting that the process of de-identification can potentially be applied to the patient’s name and the other 17 identifiers. Per the Privacy Rule, this process removes identifiers from health information, thus mitigating privacy risks and allowing data to be used for research, policy assessment, and more.

2. Geographical Elements 

Any geographical subdivisions smaller than a state are considered PHI, including street address, city of residence, county, or zip code.

3. Health-Related Dates 

PHI covers any dates related to an individual’s health, including date of birth, date of admission, date of discharge, death date, and exact age of a patient if they are over 89.

4. Telephone Number

Any phone number possessed by an individual, including a home phone number, cellphone number, and work phone number, can be used to contact the individual and is therefore included in PHI.

5. Fax Number

Records or reports containing a patient’s phone number associated with a fax machine or online fax account cannot be shared without authorization.

6. Email Addresses 

Both personal and professional email addresses are HIPAA identifiers.

7. Social Security Number 

The nine-digit number issued to U.S. citizens, permanent residents, and temporary residents is sensitive health information.

8. Medical Record Numbers 

Any number or code associated with a particular medical record or health history of an individual is PHI.

9. Health Insurance Beneficiary Numbers 

PHI includes the health plan beneficiary number, which a health insurance company or similar services assigns to individuals within their systems.

10. Account Numbers 

Account numbers associated with a person’s healthcare or bank account and used in financial transactions fall under PHI.

11. Certificate/License Numbers 

PHI includes any number issued to an individual who receives a certificate or license, including a driver’s license.

12. Vehicle Identifiers

Serial numbers and other vehicle identifiers, such as a license plate number, are PHI.

13. Device Attributes 

Device identifiers and serial numbers are unique numeric or alphanumeric codes assigned to medical devices through the FDA’s Unique Device Identification System and are PHI.

14. Digital Identifiers

PHI covers any digital identifiers, including website URLs.

15. IP Addresses

An Internet Protocol (IP) address is a unique string of letters that identifies a specific computer; this shows where data comes from and is considered PHI.

16. Biometric Elements

Fingerprints, retinal prints, voice prints, and other biometric elements that measure human characteristics are PHI.

17. Photographic Images

The HIPAA Privacy Rule protects full-face photographic images or comparably identifiable photos.

18. Other Identifying Numbers or Codes

The 18th identifier includes any other numerical characteristic that could uniquely identify an individual.

What is Not Considered PHI?

According to The HIPAA Guide, “Identifying information is not considered as PHI under HIPAA when it is not maintained or used in conjunction with health information. Therefore, if an individual´s name, address, and telephone number is maintained in a separate database, it does not have the same protections as PHI.”  

In other words, the 18 identifiers are only considered PHI under HIPAA protection when used in documentation associated with healthcare. Conversely, health information without any identifiers (such as a dataset of patient vital signs without any identifiers attached) is not protected under HIPAA. 

There are other exceptions to HIPAA, but those situations are not common. In general, covered entities should take the time to understand the HIPAA criteria to conduct comprehensive risk assessments and risk analyses and prevent employees from making costly errors.  

Conclusion 

Melanie Fontes Rainer, OCR director, once stated, “We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”  The OCR practices what it preaches with the HHS Breach Report, a list of companies under investigation for HIPAA violations. 

Staying on top of the many moving pieces of compliance is a necessity for entities of all sizes looking to avoid the “Wall of Shame,” and being aware of the 18 HIPAA identifiers is just one critical component of doing that. Are you accounting for all 18 in your security protocol? Are you consistently ensuring that your security and compliance processes are up-to-date and account for all regulations so that nothing falls through the cracks? 

For entities looking to centralize all the moving parts of HIPAA compliance to avoid cybersecurity risks and compliance failure, investing in an automated compliance solution is one way of staying on top of every compliance process and requirement.  

Solutions such as HIPAA One (R) compliance software remove the confusion of compliance by giving you step-by-step guidance to risk analysis, remediation and documentation. 

Don’t let compliance fall through the cracks. Learn more about ensuring full HIPAA compliance by getting in touch with the HIPAA experts at Intraprise Health.

About the Author
Avatar photo

Scott Mattila

Linkedin
CSO, Intraprise Health
Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science. See full bio