Skip to main content
  • For Support:

    815-308-2095

  • New Client
    815-788-6041

The 18 HIPAA Identifiers of PHI: What Your Business Needs to Recognize, Protect, and De-Identify

May 6, 2026

In this article:

The HHS Office for Civil Rights has taken HIPAA enforcement action against medical practices, billing companies, and IT service providers of all sizes. According to HHS enforcement data, resolution agreements and civil monetary penalties have applied to entities ranging from solo practitioners to mid-size health systems. Penalties follow a tiered structure that escalates based on willfulness and whether the violation was corrected. HIPAA regulations apply with the same protections regardless of organization size.

The consistent thread in many enforcement cases is not deliberate disregard for the law. It is that workforce members handling patient records could not reliably identify which data elements were regulated. PHI you can not recognize is PHI you can not protect.

HIPAA, the Health Insurance Portability and Accountability Act (sometimes referenced as the Insurance Portability and Accountability Act), defines exactly 18 categories of phi identifiers that, when linked to health information, create Protected Health Information (PHI). Many compliance training materials in common use list only seven. That gap is not a minor academic distinction. It creates classification failures that leave regulated identifiable data in unprotected systems.

This article covers all 18 HIPAA identifiers, explains why so many searches still return “seven identifiers,” and outlines what SMBs can do to recognize and protect regulated health data across their everyday systems.

What PHI Means Under HIPAA

Protected health information phi is any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits. The HIPAA Privacy Rule regulates the data itself, not the medium carrying it. PHI encompasses an individual’s past, present, or future physical or mental health condition, the provision of health care to the individual, or past present or future payment for health care.

Covered entities include health care providers and healthcare providers of all types (any health care provider who transmits health information electronically), health plans, and health care clearinghouses. Business associates are vendors, IT providers, billing companies, and other service organizations that access or process PHI on a covered entity’s behalf. If you are not sure whether your organization qualifies, our HIPAA compliance decision framework can help you find out.

The U.S. Department of Health and Human Services (HHS) administers the HIPAA Privacy Rule. HHS defines what qualifies as PHI and sets the standards for when it can be used, disclosed, or retained without patient authorization. A covered entity may use or disclose PHI only as the Privacy Rule permits, and the covered entity’s workforce must follow these standards.

Format is irrelevant to those obligations. Each of the following carries identical requirements when it contains PHI:

  • A paper chart or medical records file
  • An email thread
  • A voicemail
  • An electronic health records (EHR) database record
  • Billing records in a practice management system

All 18 HIPAA PHI Identifiers

The following 18 categories come directly from 45 CFR 164.514(b), the Privacy Rule’s de identification standard. Any one of these data elements, when linked to an individual’s health information, creates PHI.

  1. Names: first, last, or any combination
  2. Geographic data: any subdivision smaller than a state, including street address, city, county, and zip code (first three digits also restricted when the population in such geographic units is 20,000 or fewer, based on the geographic unit formed by combining all zip codes with the same three initial digits)
  3. Dates: other than year alone, when directly related to the individual: birth date, admission date, discharge date, death date, and any age over 89
  4. Phone numbers
  5. Fax numbers
  6. Email addresses: including business email when individually identifiable
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate and license numbers: professional, medical, or state-issued (including license plate numbers)
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers (identifiers and serial numbers for medical devices and equipment)
  14. Web universal resource locators (Web URLs)
  15. IP addresses
  16. Biometric identifiers, including fingerprints and voice prints
  17. Full-face photographs and comparable images
  18. Any other unique identifying number, characteristic, or code that could be used to re-identify an individual

HHS publishes the authoritative de identification guidance including the full 45 CFR 164.514(b) enumeration with regulatory commentary.

Why Searches Return “Seven Identifiers” and Why That Number Is Wrong

The phrase “7 identifiers of PHI” does not appear anywhere in HIPAA regulations. The Privacy Rule specifies 18 HIPAA identifiers under 45 CFR 164.514(b), and that count has not changed.

The likely origin: research ethics and IRB (Institutional Review Board) contexts sometimes group direct identifiers into approximately seven broader categories for study anonymization purposes. That shorthand entered online compliance training decks and spread without correction into general-purpose HIPAA summaries. Family educational rights and privacy regulations (FERPA) use a different identifier framework that may also contribute to the confusion.

One identifier is all it takes. Link any one from the list above to an individual’s health information (including an individual’s past health condition or future physical treatment) and the data becomes PHI, regardless of how many other identifiers are present or absent.

Any process built on an abbreviated list operates on incomplete information:

  • Internal audits miss unclassified data stores containing personally identifiable information
  • Vendor reviews do not assess the full identifier scope
  • Staff training leaves workforce members unable to recognize regulated data

The full 18 is the only defensible baseline.

Identifiers That Most Often Catch SMBs Off Guard

Some identifiers are obvious: names, Social Security numbers, medical record numbers. Others surface in systems that operations and IT staff do not associate with HIPAA at all.

IP addresses (#15): Server logs, patient portals, and appointment booking tools that record IP addresses alongside health data are processing PHI. Most non-clinical staff managing these systems have no actual knowledge that HIPAA regulations apply to them.

Email addresses (#6): A thread between a staff member and a patient referencing a diagnosis, a prescription, or an appointment date is PHI, even when sent through a standard business email client on a general-purpose account. These patient records require the same protections as data in clinical systems.

Biometric identifiers (#16): Fingerprint login systems in clinical or administrative settings capture PHI if the biometric data connects to health records in any way.

Device identifiers (#13): Tablets and smartphones that sync with EHR platforms carry PHI on endpoints that require active protection, management, and documented access controls.

Vehicle identifiers (#12): Directly relevant in home health, medical transport, and logistics operations where vehicle records connect to patient identity or care delivery.

Full-face photographs (#17): Intake photos, telehealth session screenshots, or ID scan images stored alongside patient data are regulated identifiers under HIPAA regulations.

The consistent pattern: PHI lives in scheduling software, CRM platforms, billing records tools, shared drives, and email archives, not just in clinical systems. Organizations evaluating their current exposure can start with HIPAA compliance support that covers where regulated data lives across the full stack.

How De Identification Works: Removing All 18 Identifiers from Data

Once all 18 identifiers are removed from a data set, the resulting de identified health information is no longer PHI. De identified data falls outside HIPAA’s regulatory scope entirely. De identified health information can be used for life sciences research, analytics, or operational reporting without the consent requirements and security controls that apply to PHI. Identifying and stripping these 18 data elements allows healthcare institutions to share vital data sets for clinical research and public health tracking.

Two recognized de identification methods exist under the Privacy Rule. Both provide a pathway to de identify phi and produce data that falls outside HIPAA scope.

The Safe Harbor method requires three things:

  • Removal of all 18 identifiers from the data set to produce a de identified data set
  • Geographic restrictions: the safe harbor method allows the first three digits of zip codes to be retained if the geographic unit formed by those zip codes contains more than 20,000 people. Otherwise they must be changed to 000.
  • The covered entity must not have actual knowledge that the remaining information could be used alone or in combination to re-identify any individual. The de identification process is complete only when this condition is met.

All 18 must go. There is no partial credit. The risk of re identification remains if even one identifier stays in the data set.

The Expert Determination method involves a qualified statistician who applies generally accepted statistical and scientific principles to certify that re identification risk is very small. HHS has published detailed methodological guidance on this approach.

Partial de identification does not reduce compliance obligations. Removing 17 of the 18 identifiers while leaving one in place keeps the entire data set classified as PHI. Treat the de identification process as all-or-nothing.

Even during preparation, before de identification is complete, the data is still PHI. It must be secured in transit and at rest throughout the workflow. Reliable automated backup systems with encryption are an operational requirement during any de identification project.

Organizations that need to share health data under formal terms should also consider whether a data use agreement is required. A data use agreement governs how a limited data set (which retains some identifiers) can be used by the receiving party, and carries its own compliance requirements separate from full de identification.

Six Steps SMBs Can Take to Protect PHI Right Now

Recognizing PHI is the starting point. Protecting it requires consistent operational controls across every system where regulated data touches your business. Health care organizations must practice the “minimum necessary” standard under the HIPAA Privacy Rule, limiting internal data access to only the minimum amount of identifiable data needed to complete a task.

  1. Map where all 18 identifiers appear. EHR systems and electronic health records are the obvious target. The less obvious ones: email archives, billing records platforms, scheduling tools, backup storage, and staff-issued mobile devices. Document every location before assessing controls.
  2. Apply least-privilege access controls. Staff with no operational need for patient records should not encounter them in shared drives, team inboxes, or CRM views. Access permissions must match job function within the designated record set, and access logs must exist to track who viewed what.
  3. Encrypt PHI in transit and at rest. HIPAA’s Security Rule classifies encryption as an addressable safeguard for electronic PHI. For most SMBs, the risk calculus is straightforward: implement it consistently, not selectively.
  4. Secure patient-facing email. Unencrypted standard email is one of the most common PHI exposure vectors. HIPAA-compliant messaging platforms should replace general-purpose email clients for any patient communication that includes health information.
  5. Patch and monitor every endpoint that touches PHI. Workstations, tablets, and mobile devices that sync with health records require consistent patching cycles, endpoint monitoring, and documented access logs. A 24/7 IT help desk that manages endpoint health continuously closes the gap between “we should patch that” and “it is done.”
  6. Train staff on all 18 HIPAA identifiers. Employees and workforce members can not protect PHI they do not recognize. Regular training on the full identifier list, with concrete examples drawn from your actual systems, reduces accidental disclosures before they become reportable breaches.

Frequently Asked Questions About HIPAA PHI Identifiers

Do All 18 Identifiers Have to Be Present for Data to Count as PHI? No. One identifier linked to health information about a specific individual is sufficient to create PHI. A patient’s name in a billing record, an IP address in a portal log tied to a medical appointment, or a photograph attached to a clinical intake form each independently qualifies that data as protected health information phi under HIPAA.

Is an IP Address Really One of the 18 HIPAA Identifiers? Yes. IP addresses are explicitly listed as identifier #15 under 45 CFR 164.514(b)(2). Any system that logs IP addresses alongside patient portal activity, health plan access, or appointment booking is capturing a PHI identifier. That applies whenever the logged IP address can be associated with a specific individual’s health information.

Does PHI Regulation Apply Only to Digital Records? No. Paper files, verbal communications, and electronic records carry equal obligations under the HIPAA Privacy Rule. A printed intake form and a patient voicemail are regulated identically to an EHR database record. Medical records in any format receive the same protections.

If a Vendor Processes Our Patient Data, Are They Also Subject to HIPAA? Yes. Business associates who access PHI on behalf of a covered entity are directly subject to HIPAA’s Privacy and Security Rules. They must execute a signed Business Associate Agreement (BAA) with the covered entity, and both parties carry independent compliance obligations. The business associate agreement does not transfer liability away from the covered entity.

What Is the Difference Between the Safe Harbor Method and the Expert Determination Method? The safe harbor method requires removal of all 18 specific identifiers and confirmation that no residual information could enable re identification. The expert determination method uses a qualified expert who applies generally accepted statistical and scientific principles to certify that re identification risk is very small. Both de identification methods produce de identified health information that falls outside HIPAA scope, though both retain some residual risk.

Where Can I Find an Official Reference for All 18 Identifiers? HHS publishes authoritative guidance titled “Guidance Regarding Methods for De Identification of Protected Health Information.” That document includes the full 45 CFR 164.514(b) enumeration with regulatory commentary and is the primary reference for any HIPAA de identification or data classification work.

Protecting PHI Starts with Knowing What to Look For

When your staff can reliably identify all 18 HIPAA identifiers across every system in your environment, compliance becomes an operational discipline instead of a gap-finding exercise. With that foundation in place, accidental disclosures drop, vendor reviews become more targeted, and security investments cover the right systems, including the ones that are not obviously clinical. PHI exposure becomes a managed risk rather than a recurring crisis, and your team can focus on the work that actually moves the business forward.

LeadingIT provides managed IT and compliance services to businesses across the Chicagoland area, including healthcare-adjacent organizations handling PHI as covered entities or business associates. Our team helps clients locate regulated data in their existing systems, assess current controls, and close gaps before they become enforcement issues.

Contact our Chicagoland IT support team or call 815-788-6041 and see exactly where your PHI exposure stands.

Return to blog

Stephen Taylor is the founder and driving force behind LeadingIT, a Chicagoland-based IT and cloud services company, where he focuses on delivering practical, client-first technology solutions for businesses. A Microsoft Certified professional and author of Technology Should Just Work, he combines hands-on expertise with a passion for making IT simple, transparent, and effective. Read more

Let Us Be Your Guide In Cybersecurity Protections
And IT Support With Our All-Inclusive Model.
Meet With Us