In 2023, OCR settled with a dental practice for $350,000 after an investigation revealed the organization had disclosed patient names, treatment records, and Social Security numbers to a marketing vendor — without a business associate agreement or any understanding of what constitutes protected health information. The compliance officer later admitted the workforce had never been trained on the elements of PHI. It's a failure I see repeatedly, and it's entirely preventable.

The 18 Elements of PHI Every Covered Entity Must Know

Under the HIPAA Privacy Rule (45 CFR §164.514), protected health information is individually identifiable health information that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. PHI becomes "identifiable" when it includes any of 18 specific identifiers linked to a health condition or healthcare service.

Here are the 18 elements of PHI as defined by HHS:

  • Names
  • Geographic data smaller than a state (street address, city, county, ZIP code)
  • All dates directly related to an individual (birth date, admission date, discharge date, date of death) — and all ages over 89
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers (including license plates)
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

If even one of these identifiers is combined with health information — a diagnosis, a treatment note, a billing code — it becomes PHI and triggers the full weight of HIPAA's Privacy, Security, and Breach Notification Rules.

Why the "Health Information" Component Is Just as Critical

A common mistake I encounter in compliance audits is focusing exclusively on the identifiers while ignoring the health information component. A name alone is not PHI. A diagnosis alone, with no identifier attached, is not PHI. PHI exists only at the intersection: identifiable information linked to a health condition, healthcare service, or payment.

This distinction matters operationally. Your front desk staff handling appointment schedules are working with PHI — because the schedule ties a patient name to a healthcare encounter. Your IT team managing server logs that contain IP addresses connected to a patient portal are handling PHI. Understanding the elements of PHI means understanding both halves of the equation.

De-Identification: Removing the Elements That Create PHI

The Privacy Rule provides two methods for de-identifying health information under 45 CFR §164.514(b). The first is Expert Determination, where a qualified statistical expert certifies the risk of re-identification is very small. The second is the Safe Harbor method, which requires the removal of all 18 identifiers listed above and confirmation that the remaining data cannot be used to identify an individual.

Once properly de-identified, the data is no longer PHI and falls outside HIPAA's regulatory scope. Healthcare organizations pursuing research, analytics, or population health initiatives frequently rely on de-identification — but shortcuts here create serious exposure. OCR has investigated cases where organizations removed names and dates but left medical record numbers intact, still qualifying the data as PHI.

The Minimum Necessary Standard and PHI Elements

Knowing the elements of PHI directly supports compliance with the minimum necessary standard under 45 CFR §164.502(b). This rule requires your covered entity to limit the use, disclosure, and request of PHI to only the minimum amount necessary to accomplish the intended purpose.

In practice, this means your workforce needs to evaluate every data exchange: Does this fax need to include the patient's full Social Security number? Does this referral letter require a home address? Without a clear understanding of which data points constitute PHI, your staff cannot make these judgments. The result is routine over-disclosure — one of the most common HIPAA violations OCR documents in resolution agreements.

Where Organizations Consistently Get PHI Identification Wrong

Healthcare organizations consistently struggle with three areas related to PHI identification:

1. Digital Identifiers

Many compliance programs were built around paper records. IP addresses, device identifiers, and web URLs are frequently overlooked. If your patient portal logs tie an IP address to a health record access event, that's PHI — and your Security Rule obligations apply in full.

2. Photographs and Images

Full-face photographs are explicitly listed as PHI identifiers. Clinical photographs shared among providers, posted in case studies, or stored in EHR systems must be treated with the same protections as any other PHI element. A dermatology practice sharing a facial image with a visible condition and no redaction has disclosed PHI, period.

3. Compound Data Sets

Data that appears harmless in isolation can become PHI when combined. A ZIP code paired with a rare diagnosis and a date of service may be enough to identify a specific individual — especially in small communities. Your risk analysis should account for re-identification risk in every dataset your organization shares or stores.

Workforce Training on PHI Identification Is Not Optional

Under 45 CFR §164.530(b), every covered entity must train all workforce members on its privacy policies and procedures — and that training must be specific enough to cover the elements of PHI relevant to each role. A billing clerk, a nurse, and a systems administrator interact with different PHI elements in different contexts. Generic awareness training doesn't satisfy this requirement.

OCR has repeatedly emphasized in its enforcement actions that training failures are considered aggravating factors when calculating penalties. If your workforce can't identify what constitutes PHI, they can't protect it, and they can't apply the minimum necessary standard. Investing in comprehensive HIPAA training and certification is the most direct way to close this gap across your entire organization.

Building PHI Awareness Into Your Compliance Program

Start by auditing every department for PHI touchpoints. Map which of the 18 identifiers each team handles and how those identifiers are combined with health information. Update your Notice of Privacy Practices to reflect current data practices — including digital identifiers most patients don't expect you to collect.

Ensure your business associate agreements explicitly reference the types of PHI shared with each vendor. And conduct your HIPAA risk analysis with the full list of 18 identifiers in mind — not just names and dates.

Organizations that treat PHI identification as a foundational skill rather than an afterthought consistently perform better in OCR audits and experience fewer reportable breaches. If your workforce hasn't been trained on every element of PHI in the last 12 months, HIPAA Certify's workforce compliance program provides the structured, role-specific education your compliance program requires.

PHI isn't an abstract concept. It's 18 concrete data elements tied to health information. Every member of your workforce should be able to name them — and know exactly what to do when they encounter them.