In 2023, a dental practice in New England received a six-figure penalty from OCR after posting appointment reminders on a public-facing scheduling platform that exposed patient names, dates of birth, and procedure codes. The practice assumed it was only sharing "scheduling data" — not protected health information. That misunderstanding of HIPAA identifiable information is one of the most common and costly mistakes I see covered entities make.

What Counts as HIPAA Identifiable Information Under the Privacy Rule

The HIPAA Privacy Rule (45 CFR §160.103) defines protected health information as any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. The key phrase is "individually identifiable" — meaning the data either directly identifies a person or could reasonably be used to identify them.

This goes far beyond names and Social Security numbers. PHI includes any health data linked to a specific individual, whether it exists in electronic, paper, or oral form. A lab result on a printed page, a diagnosis mentioned in a voicemail, and a medication list stored in an EHR all qualify as protected health information if tied to an identifiable person.

The 18 Identifiers That Make Health Data PHI

HHS specifies exactly 18 types of identifiers under 45 CFR §164.514(b)(2). When any one of these is combined with health information, the data becomes HIPAA identifiable information that triggers full Privacy Rule protections. Your workforce needs to recognize every one of them:

  • Names
  • Geographic data smaller than a state (street address, city, zip code)
  • All dates directly related to an individual (birth date, admission date, discharge date, date of death) — except year for individuals over 89
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

That last category — "any other unique identifying number" — is intentionally broad. OCR has used it to enforce cases where organizations assumed a patient ID or internal reference code was not an identifier. If the code can be traced back to a person, it qualifies.

Why Your Workforce Gets HIPAA Identifiable Information Wrong

Healthcare organizations consistently struggle with the boundaries of identifiable information because PHI doesn't always look like PHI. A spreadsheet of diagnosis codes with no names might seem harmless — until you realize it also contains zip codes and dates of service that, combined, could identify a specific patient.

In my work with covered entities, I find that front-desk staff, billing teams, and IT personnel often underestimate what qualifies. They may strip a patient's name from a dataset and assume it's de-identified, not realizing that 17 other identifiers could still be present. This is precisely why the Privacy Rule's minimum necessary standard (45 CFR §164.502(b)) requires your organization to limit the use and disclosure of PHI to the minimum amount needed for a given purpose.

Investing in comprehensive HIPAA training and certification for every workforce member — not just clinicians — closes this knowledge gap before it becomes an OCR investigation.

De-Identification: How to Remove HIPAA Identifiable Information Legally

The Privacy Rule provides two approved methods for de-identifying health data under 45 CFR §164.514(a)-(b):

Expert Determination Method

A qualified statistical expert applies accepted methods to determine that the risk of identifying any individual from the dataset is "very small." The expert must document the methods and results. This approach is rigorous and typically used for large research datasets.

Safe Harbor Method

Your organization removes all 18 identifiers listed above and has no actual knowledge that the remaining information could identify an individual. This is the method most covered entities use in practice because it provides a clear, checklist-based standard.

Once data is properly de-identified through either method, it is no longer considered PHI and falls outside HIPAA's regulatory scope. But partial de-identification — stripping some identifiers but not all — offers zero legal protection. OCR has been unambiguous on this point.

Business Associates and the Chain of Identifiable Information

Your obligations don't end at your organization's walls. Under the Omnibus Rule, any business associate that creates, receives, maintains, or transmits HIPAA identifiable information on your behalf is subject to the same Privacy and Security Rule requirements. This includes cloud storage vendors, billing companies, analytics firms, and even shredding services.

Every business associate agreement must specify how PHI will be safeguarded, who can access identifiable information, and what happens in the event of a breach. If your business associate mishandles identifiable data, your covered entity can still face penalties — especially if OCR finds that you failed to conduct adequate due diligence or a thorough risk analysis under 45 CFR §164.308(a)(1).

OCR's enforcement actions increasingly target mishandling of identifiable information in digital environments. Between 2020 and 2024, multiple settlements involved organizations that exposed PHI through improperly configured web tracking technologies, patient portals, and third-party analytics tools like Meta Pixel.

In December 2022, OCR issued a bulletin explicitly warning that tracking technologies on covered entity websites may transmit HIPAA identifiable information — including IP addresses and medical record numbers — to third parties without patient authorization. Penalties in recent right-of-access and impermissible disclosure cases have ranged from $15,000 to over $4.75 million.

Your Notice of Privacy Practices must accurately describe how your organization uses and discloses PHI. If your actual data practices don't match what's in the notice, you have both a Privacy Rule violation and a trust problem.

Practical Steps to Protect Identifiable Information Today

Strengthening your organization's handling of HIPAA identifiable information requires more than a policy update. Here are the steps that make the most measurable difference:

  • Conduct a current risk analysis that maps every system and workflow where identifiable information is created, stored, or transmitted.
  • Audit third-party tools on your website, patient portal, and mobile applications for unauthorized PHI transmission.
  • Apply the minimum necessary standard to every internal access request — not just external disclosures.
  • Train every workforce member annually, including volunteers, contractors, and management. Role-based training ensures each team understands the specific identifiers they encounter daily.
  • Review all business associate agreements to confirm they address current data flows and breach notification timelines under 45 CFR §164.410.

Building a culture that treats all 18 identifiers seriously starts with education. Enrolling your entire team in a structured workforce HIPAA compliance program gives every staff member the practical knowledge to recognize, handle, and protect identifiable information — before a breach forces the lesson.