18 PHI Identifiers You Need to Know for HIPAA Compliance

You've set up a new healthcare software system or are handling patient records, but suddenly you're worried: "What exactly counts as Protected Health Information?" The anxiety builds as you realize mishandling this sensitive data could result in devastating fines, reputation damage, and even legal action.

Healthcare providers, software developers, and business associates alike share this concern. As one developer on Reddit expressed, understanding "which type of things could get us in trouble" when working with patient data is critical for building compliant software.

With data breaches on the rise and penalties becoming increasingly severe, knowing exactly where PHI can be found is no longer optional—it's essential.

What is PHI?

Protected Health Information (PHI) refers to individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or business associate. According to the HHS guidance, PHI includes any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual.

The key element that transforms regular health information into PHI is the presence of identifiers that can connect the information to a particular person. Under HIPAA, there are 18 specific identifiers that, when combined with health information, create PHI that requires protection.

The 18 PHI Identifiers With Examples

PHI can be found in numerous places within healthcare settings and associated systems. Here are the 18 official identifiers with practical examples:

1. Names

Any part of a person's name that could identify them in relation to their health information.

• Example: "John Smith" in a patient record
• Where PHI can be found: Admission forms, medical charts, prescription labels, appointment schedules

2. Geographic Identifiers Smaller Than a State

Any geographic subdivision smaller than a state, including street address, city, county, precinct, and ZIP code.

• Example: "123 Main Street, Springfield, IL 62701"
• Where PHI can be found: Patient registration forms, billing records, medical correspondence, shipping labels for medical supplies

3. All Elements of Dates

All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89.

• Example: "Patient admitted on January 15, 2023" or "DOB: 04/22/1933"
• Where PHI can be found: Medical records, admission/discharge paperwork, appointment scheduling systems, birth certificates

4. Telephone Numbers

Any phone numbers associated with a patient.

• Example: "(555) 123-4567"
• Where PHI can be found: Contact information forms, call logs, voicemail systems, text message appointment reminders

5. Fax Numbers

Any fax numbers linked to a patient.

• Example: "(555) 987-6543"
• Where PHI can be found: Contact information sheets, referral forms, prescription transmission records

6. Email Addresses

Any email address belonging to a patient.

• Example: "[email protected]"
• Where PHI can be found: Patient portals, email communication logs, newsletter subscription lists, online form submissions

7. Social Security Numbers

A patient's Social Security number (SSN) or any portion thereof.

• Example: "123-45-6789" or even just the last four digits "6789"
• Where PHI can be found: Insurance verification forms, billing documents, employment records for health-related claims

8. Medical Record Numbers

Unique numbers assigned to patients by healthcare providers.

• Example: "MRN: 987654321"
• Where PHI can be found: Patient charts, laboratory test orders, imaging requests, hospital wristbands

9. Health Plan Beneficiary Numbers

Numbers assigned by a health plan to identify individuals.

• Example: "BCBS ID: XYZ1234567890"
• Where PHI can be found: Insurance cards, explanation of benefits (EOB) documents, claims processing systems

10. Account Numbers

Financial account numbers related to healthcare payments.

• Example: "Patient Account #: 2022-567890"
• Where PHI can be found: Billing statements, payment records, collection agency communications

11. Certificate/License Numbers

Any certificate or license number that could identify an individual.

• Example: "Driver's License #: D1234567"
• Where PHI can be found: Patient identification verification forms, disability documentation

12. Vehicle Identifiers and Serial Numbers

Including license plate numbers, VINs, etc.

• Example: "Vehicle Plate: ABC-1234"
• Where PHI can be found: Accident reports, ambulance transport records, hospital parking permits

13. Device Identifiers and Serial Numbers

Numbers associated with medical devices used by or implanted in patients.

• Example: "Pacemaker Serial #: PM20225678"
• Where PHI can be found: Implant records, device tracking systems, maintenance logs, patient medical device registries

14. Web URLs

Web universal resource locators (URLs) that could identify patients.

• Example: "http://mychart.hospital.org/patient/12345"
• Where PHI can be found: Browser history on clinical workstations, patient portal access logs, telehealth session links

15. IP Addresses

Internet Protocol addresses that could identify computers or devices.

• Example: "192.168.1.1"
• Where PHI can be found: Network access logs, telehealth session data, patient portal login records, online form submissions

16. Biometric Identifiers

Includes fingerprints, retinal scans, voiceprints, etc.

• Example: Stored fingerprint data for patient identification
• Where PHI can be found: Biometric access systems to medical records, voice recognition systems for documentation, genetic testing results

17. Full-Face Photos and Comparable Images

Any photographic image that could be used to identify a patient.

• Example: Patient ID photos, clinical before/after photos
• Where PHI can be found: Electronic medical records, dermatology files, plastic surgery documentation, telehealth video recordings

18. Any Other Unique Identifying Number, Characteristic, or Code

Any other unique identifier not explicitly mentioned in the other categories.

• Example: Patient-assigned identifier codes like "SMITH2022JAN"
• Where PHI can be found: Research study participant codes, custom patient identifiers in specialized systems

Where PHI Can Be Found: Common Locations

PHI can be found in numerous places throughout healthcare organizations and their associates. Understanding these locations is crucial for implementing proper safeguards:

Physical Locations:

• Paper medical records and charts
• Intake and registration forms
• Lab requisition forms
• Prescription pads and labels
• Fax machines and printouts
• Appointment cards and schedules
• Billing statements and invoices
• Sticky notes with patient information
• Whiteboards with patient details
• ID badges for hospital patients

Digital Locations:

• Electronic Health Record (EHR) systems
• Practice management software
• Billing and coding systems
• Email communications and attachments
• Text messages related to patient care
• Cloud storage containing medical files
• Backup systems and archives
• Mobile devices used for healthcare purposes
• Diagnostic equipment with patient data
• Telehealth platforms and recordings

Understanding What Is Not PHI

Not all health information qualifies as PHI. Understanding these distinctions can help organizations properly allocate their compliance resources:

• De-identified health information: Data that has been stripped of all 18 identifiers and has no reasonable basis to believe it could be used to identify an individual.
• Employee records: Health information in employment records held by a covered entity in its role as an employer.
• Educational records: Those covered by the Family Educational Rights and Privacy Act (FERPA).
• **Health information of deceased individuals who have been dead for more than 50 years.
• Aggregate data: Statistical information that doesn't identify individuals.

The Importance of Protecting PHI

As one Reddit user pointed out, "a significant amount of breaches come from business associates and the consequences for failing to comply with the business associate agreement can be quite severe if the startup is sued." This highlights the critical nature of understanding and protecting PHI.

The stakes are high:

• Civil penalties can range from $100 to $50,000 per violation
• Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years
• Reputational damage can be irreparable
• Patient trust, once broken, is difficult to restore

Many healthcare professionals have expressed that "it's extremely challenging for small practices to implement HIPAA," yet compliance is not optional. The complexity of requirements makes it essential to have clear guidance on identifying and protecting PHI.

Best Practices for Managing PHI

1. Establish a HIPAA Privacy Program

As recommended in online healthcare forums, "If you are accessing client PHI, you need to establish a HIPAA privacy program, meaning you have a CPO, policies and procedures that address secondary use and disclosure, minimum necessary, sanctions etc."

2. Implement Technical Safeguards

• Use encryption for all PHI at rest and in transit
• Employ access controls with unique user identification
• Maintain automatic logoff on all devices
• Create audit controls to track PHI access
• Ensure integrity controls to prevent unauthorized alteration

3. Train Staff Regularly

Regular training helps ensure all team members understand:

• How to identify PHI
• Where PHI can be found in your specific organization
• Proper handling procedures
• Breach reporting protocols

4. Conduct Risk Assessments

Regular risk assessments help identify vulnerabilities in how your organization handles PHI. As one compliance expert noted, "Review of the Security, Breach, and Privacy rules" should be part of your regular compliance activities.

5. Create a Culture of Compliance

Foster an environment where privacy is valued and protected. This means encouraging staff to report potential issues without fear of retaliation and regularly discussing the importance of PHI protection.

Conclusion

PHI can be found throughout healthcare organizations in both obvious and unexpected places. The 18 identifiers provide a clear framework for recognizing what constitutes PHI, but implementing proper protection requires diligence and commitment.

As healthcare continues to digitize and evolve, the locations where PHI can be found will expand. Organizations must stay vigilant and adaptable, continuously updating their understanding of PHI and the systems needed to protect it.

By thoroughly understanding what PHI is, where it can be located, and how to protect it, healthcare providers and their business associates can minimize the risk of breaches, avoid penalties, and—most importantly—maintain the trust of the patients they serve.

Frequently Asked Questions

What exactly is Protected Health Information (PHI)?

Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity (like a healthcare provider or insurer) or a business associate in connection with healthcare operations. This includes information about a person's past, present, or future physical or mental health condition, the provision of healthcare to an individual, or the past, present, or future payment for healthcare, when combined with one or more of the 18 specific identifiers defined by HIPAA.

Why is it so important to protect PHI?

Protecting PHI is crucial primarily to safeguard patient privacy and maintain trust in the healthcare system. Mishandling PHI can lead to severe consequences, including significant financial penalties for non-compliance, legal action, reputational damage to the organization, and potential harm or distress to individuals whose information is compromised.

Where is PHI most commonly found?

PHI can be found in a wide variety of locations, both physical and digital. Common physical locations include paper medical records, patient charts, prescription labels, and billing statements. Digitally, PHI is often present in Electronic Health Record (EHR) systems, practice management software, email communications, cloud storage, and mobile devices used for healthcare.

How can health information be de-identified?

Health information can be de-identified by removing all 18 specific HIPAA identifiers (such as name, address, dates, social security number, etc.) so that there is no reasonable basis to believe the information can be used to identify an individual. Once properly de-identified, the information is no longer considered PHI and is not subject to HIPAA's Privacy Rule restrictions. The Department of Health & Human Services (HHS) provides specific guidance on acceptable de-identification methods.

What happens if PHI is not properly protected?

Failure to properly protect PHI can result in serious repercussions. These include substantial civil monetary penalties, which can range from $100 to $50,000 per violation, and even criminal penalties involving fines up to $250,000 and imprisonment. Beyond legal and financial consequences, data breaches can cause significant reputational damage and erode patient trust.

What are some key best practices for managing PHI?

Key best practices for managing PHI include establishing a comprehensive HIPAA privacy program, implementing robust technical safeguards like encryption and access controls, conducting regular staff training on PHI handling, performing periodic risk assessments to identify vulnerabilities, and fostering a strong culture of compliance within the organization. These measures help ensure that PHI is consistently protected across all operations.

For more detailed guidance on HIPAA compliance, refer to:

• Complete guide on HIPAA compliance
• HIPAA Privacy Rule explained
• HIPAA compliance checklist
• HHS guidance on de-identifying health information

Understanding and properly managing PHI is not just about compliance—it's about respecting patient privacy and maintaining the integrity of the healthcare system.