HIPAA PHI Identifiers | Data Protection & Compliance

What Is PHI in HIPAA? The 18 Identifiers with Examples (2025)

Protected Health Information (PHI) is a cornerstone of the Health Insurance Portability and Accountability Act (HIPAA). It refers to any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific1 individual. Under the HIPAA Privacy Rule,2 PHI must be protected, meaning it cannot be used or disclosed without the individual's authorization or as otherwise permitted by law.

To clarify what constitutes PHI, HIPAA's de-identification standard specifies 18 types of identifiers that, if present, render health information identifiable and therefore subject to PHI protections. When all 18 identifiers are removed, the health information is considered de-identified and no longer PHI.

Here are the 18 HIPAA Identifiers with examples:

Names:

• Example: John Doe, Jane Smith. This includes full names, last names, first names, middle names, and any initials that could uniquely identify an individual.

All Geographic Subdivisions Smaller Than a State:

• Example: Street address (123 Main St), city (Anytown), county (Any County), precinct, zip code (12345), and their equivalent geocodes. Even if a zip code is provided without a full address, if it's smaller than a state (e.g., the first three digits of a zip code if the geographic unit contains more than 20,000 people), it's considered an identifier.

All Elements of Dates (Except Year) for Dates Directly Related to an Individual, Including Birth Date, Admission Date, Discharge Date, Date of Death; and All Ages Over 89 and All Elements of Dates (Including Year) Indicative of Such Age:

• Example: A patient's exact date of birth (May 15), hospital admission date (March 10), discharge date (March 12), or date of death (October 25). If a person is over 89, their exact age and full date of birth (including the year) become identifiers to prevent unique identification.

Telephone Numbers:

• Example: (555) 123-4567. Any phone number associated with the individual.

Fax Numbers:

• Example: (555) 123-7890. Any fax number associated with the individual.

Email Addresses:

• Example: [email protected]. Any electronic mail address.

Social Security Numbers (SSN):

• Example: XXX-XX-1234. The full Social Security Number.

Medical Record Numbers:

• Example: MRN-009876. A unique identifier assigned to a patient's medical records.

Health Plan Beneficiary Numbers:

• Example: HPB-54321. Unique numbers assigned by health insurance plans to individuals.

Account Numbers:

• Example: Account# 987654. Any financial account number associated with the individual, such as bank accounts or billing accounts.

Certificate/License Numbers:

• Example: Driver's License #XYZ123, Professional License #L4567. Any professional, state, or other official certification or license numbers.

Vehicle Identifiers and Serial Numbers, Including License Plate Numbers:

• Example: VIN: ABC123DEF456GHI789, License Plate: JANE555. This includes any vehicle serial number or license plate that could identify an individual.

Device Identifiers and Serial Numbers:

• Example: Medical device serial #DEV9876, Implant serial #IMP-123. Any unique serial number from medical devices, equipment, or other personal devices.

Web Universal Resource Locators (URLs):

• Example: https://patientportal.hospital.com/john-doe-profile. Any web address that specifically identifies an individual.

Internet Protocol (IP) Address Numbers:

• Example: 192.168.1.100. Any IP address that can be linked to an individual.

Biometric Identifiers, Including Finger and Voice Prints:

• Example: Fingerprint scan, voice recording for identification, retinal scan. Any unique biological characteristic.

Full Face Photographic Images and Any Comparable Images:

• Example: A clear photograph of a person's face, or any other image that could be used for unique identification.

Any Other Unique Identifying Number, Characteristic, or Code:

• Example: A specific research participant ID (if not randomly assigned and not linked back to a master list that contains identifiers), or any other marker that could potentially identify an individual. This is a catch-all category to ensure no identifiable information is overlooked.

Understanding and correctly identifying these 18 identifiers is crucial for healthcare organizations and their business associates to ensure proper PHI protection and maintain HIPAA compliance in 2025 and beyond.

.

How to Protect PHI

Protecting PHI is a multi-layered effort requiring robust administrative, physical, and technical safeguards. Adhering to HIPAA regulations isn't just about compliance; it's about building patient trust and safeguarding sensitive data from increasingly sophisticated threats.

Here are key strategies to protect PHI:

1. Implement Strong Administrative Safeguards

These are the foundational policies and procedures that guide an organization's PHI protection efforts.

• Conduct Regular Risk Assessments: Periodically identify potential threats and vulnerabilities to PHI. Develop and implement strategies to mitigate these risks effectively.
• Develop Comprehensive Security Policies: Create clear, written policies and procedures for handling, transmitting, and storing PHI. Ensure these policies are regularly reviewed and updated.
• Designate a Security and Privacy Officer: Appoint individuals responsible for developing, implementing, and enforcing HIPAA policies and procedures.
• Provide Workforce Training: Regularly train all employees, including temporary staff and volunteers, on HIPAA Privacy and Security Rules. Emphasize awareness of phishing, social engineering, and proper data handling.
• Establish Business Associate Agreements (BAAs): Ensure that any third-party vendor or partner who handles PHI (Business Associate) signs a BAA, obligating them to protect PHI to HIPAA standards.
• Develop Contingency Plans: Create detailed plans for data backup, disaster recovery, and emergency mode operation to ensure PHI availability and integrity during system failures or disasters.

2. Apply Robust Technical Safeguards

These involve the technology and security settings used to protect electronic PHI (ePHI).

• Encrypt ePHI: Encrypt all ePHI both when it's "at rest" (stored on servers, hard drives, mobile devices) and "in transit" (being transmitted over networks, including email and secure portals). Encryption renders data unreadable to unauthorized parties.
• Implement Access Controls: Restrict access to ePHI based on the "minimum necessary" principle. Users should only have access to the PHI required to perform their job functions. This includes unique user IDs, automatic logoffs, and access logging.
• Utilize Strong Authentication: Mandate complex passwords, multi-factor authentication (MFA), or biometric verification to secure access to systems containing PHI.
• Implement Audit Controls: Regularly record and examine activity in information systems that contain or use ePHI. This helps detect attempted breaches or unauthorized access.
• Ensure Data Integrity: Implement mechanisms to ensure ePHI has not been altered or destroyed in an unauthorized manner. This could include checksums or digital signatures.
• Secure Network Transmissions: Use secure communication channels (e.g., VPNs, TLS encryption) when transmitting ePHI over electronic networks to protect it from interception.

3. Maintain Physical Safeguards

These are physical measures to protect electronic information systems and the buildings in which they are housed from natural and environmental hazards and unauthorized intrusion.

• Control Facility Access: Implement policies and procedures to limit physical access to facilities where PHI is stored, ensuring only authorized personnel can enter. This includes locked doors, alarm systems, and surveillance.
• Secure Workstations: Position workstations storing or accessing PHI in areas that restrict unauthorized viewing. Implement automatic logoff and screen lock features.
• Manage Device and Media: Control the movement of hardware and electronic media containing ePHI within and out of the facility. This includes secure disposal, proper reuse of media, and tracking of inventory.

By meticulously implementing these layers of protection, organizations can significantly reduce the risk of PHI breaches, maintain compliance with HIPAA, and uphold their commitment to patient privacy and security.

How Risk Cognizance Helps Organizations Comply with HIPAA, While Protecting and Directing PHI Data

Navigating the complexities of HIPAA compliance and effectively protecting PHI requires an integrated and automated approach. Risk Cognizance's Integrated Connected GRC Software provides a comprehensive platform that empowers organizations to meet stringent HIPAA requirements, safeguarding sensitive health information from creation to disposal.

Here’s how Risk Cognizance assists with HIPAA compliance, PHI protection, and data direction:

Holistic GRC for HIPAA Compliance:

• Our Integrated Connected GRC Software centralizes all HIPAA-related policies, controls, risks, and compliance activities. This ensures a unified approach to the HIPAA Privacy Rule and Security Rule.
• With Regulatory Compliance Management Software and IT & Cyber Compliance Management Software, organizations can map their internal controls directly to HIPAA requirements, automate evidence collection, and generate audit-ready reports, significantly reducing manual effort and improving compliance posture.

Proactive Attack Surface Management (ASM) for PHI Security:

• Ransomware and other cyber threats often exploit vulnerabilities in an organization's digital footprint. Our Attack Surface Management (ASM) capabilities continuously discover, inventory, and assess all internet-facing assets and internal systems that may store or process PHI.
• By identifying and remediating weaknesses, such as misconfigured servers or unpatched software, ASM proactively shrinks the potential entry points for attackers, directly reducing the risk of a PHI breach.

Robust Third-Party Risk Management (TPRM) for PHI Data:

• HIPAA's Business Associate Agreement (BAA) requirements underscore the critical role of third parties in PHI protection. Our Vendor Risk Management Software (TPRM) provides comprehensive tools to manage these relationships.
• You can conduct thorough due diligence, assess vendors' security postures against HIPAA standards, monitor their compliance continuously, and ensure that robust BAAs are in place. This mitigates the risk of PHI exposure through your extended vendor ecosystem.

Intelligent Dark Web Monitoring (DWM) for PHI Direction and Protection:

• Standalone module named Dark Web Monitoring, Risk Cognizance's platform inherently supports detecting exposed PHI data.
• Our Policy Management Software enforces data handling rules, ensuring PHI is accessed only on a "minimum necessary" basis via granular access controls.
• The platform's ability to track Case and Incident Management Software ensures that any unauthorized access attempts or data anomalies related to PHI are promptly identified, investigated, and remediated, maintaining the integrity and confidentiality of the data flow.
• This ensures that PHI moves only through authorized channels, with appropriate safeguards, audit trails, and accountability at each step.

By leveraging the integrated power of GRC, ASM, and TPRM capabilities, Risk Cognizance provides a comprehensive framework to not only achieve HIPAA compliance but also to proactively protect and properly direct all PHI data within your organization and across your third-party network. This holistic approach ensures continuous monitoring, reduces risk exposure, and instills confidence in your ability to safeguard sensitive patient information.