A Single Spreadsheet Cost This Health Plan $6.85 Million

In 2023, Premera Blue Cross agreed to a $6.85 million settlement with HHS after a breach exposed the protected health information of 10.4 million people. Names, addresses, Social Security numbers, clinical data — all of it exposed because a covered entity failed to grasp exactly what PHI it was handling and how to lock it down.

That's the thing most organizations get wrong. They know HIPAA exists. They know PHI matters. But when I ask staff in training sessions to list what actually counts as PHI, most people stop after "name and date of birth." That gap is where breaches live.

So let's close it. The HIPAA privacy rules include PHI such as 18 specific identifiers — and if your workforce can't name them, your organization is already at risk. This post walks through every one of them, explains why each matters, and shows you what OCR actually penalizes.

What Exactly Is PHI Under the HIPAA Privacy Rule?

Protected health information is any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits. That's the formal definition from 45 CFR §160.103. But here's the part people miss: it's not just clinical data.

PHI is health information plus an identifier. A diagnosis alone isn't PHI. A name alone isn't PHI. Combine a name with a diagnosis, a billing record, or even an appointment date — now you have PHI, and the full weight of HIPAA applies.

This applies in every format. Paper charts in a filing cabinet. Verbal conversations at a nurses' station. Electronic records in your EHR. When it's digital, we call it ePHI, and the Security Rule adds a whole additional layer of requirements.

The 18 Identifiers That Make Health Information "Protected"

HHS defined exactly 18 types of identifiers under the HIPAA Privacy Rule. When any of these are linked to health information — treatment records, payment data, healthcare operations — the result is PHI. Here they are:

  • Names — Full name, maiden name, alias. The most obvious identifier and the one most commonly disclosed verbally.
  • Geographic data smaller than a state — Street addresses, cities, counties, ZIP codes (the first three digits are allowed only if the geographic unit contains more than 20,000 people).
  • Dates directly related to an individual — Birth date, admission date, discharge date, date of death. Year alone is permitted only for patients over 89.
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers — Including license plate numbers.
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers — Fingerprints, voiceprints, retinal scans.
  • Full-face photographs — And any comparable image.
  • Any other unique identifying number, characteristic, or code

That last one is the catch-all. I've seen OCR investigators flag patient account codes, internal tracking numbers, even color-coded file labels that corresponded to specific individuals. If it can identify a person, it counts.

The Identifiers Your Staff Keeps Forgetting

Names and Social Security numbers get the attention. But in my experience consulting with clinics and health plans, the identifiers that cause real-world breaches are the ones nobody thinks about.

IP Addresses and Web URLs

Your patient portal logs IP addresses. Your telehealth platform captures them. If those logs also contain health information — and they almost always do — that's ePHI. Most IT teams treat server logs as operational data, not PHI. That's a compliance gap OCR has flagged repeatedly.

Full-Face Photographs

Dermatology practices, plastic surgery clinics, and wound care teams routinely photograph patients. Those images are PHI the moment they're linked to a patient record. I've walked into practices where clinical photos sat in unsecured folders on shared drives. No encryption. No access controls. That's a Security Rule violation waiting to become a breach notification.

Dates Beyond the Obvious

Everyone protects birth dates. But admission dates, discharge dates, and appointment dates are identifiers too. A scheduling spreadsheet emailed to the wrong person? That's a reportable breach if it contains patient names alongside appointment dates.

Verbal PHI: The Identifier Nobody Locks Down

Most HIPAA training focuses on electronic systems and paper records. But a stunning number of breaches — and complaints to OCR — involve spoken words. A nurse discussing a patient's diagnosis in an elevator. A front-desk staffer confirming an appointment with a patient's full name in a crowded waiting room.

The HIPAA Privacy Rule covers verbal disclosures with the same force it covers electronic ones. Your workforce needs to understand that saying a patient's name alongside their condition in a public space is a use or disclosure of PHI.

This is exactly the kind of scenario we built our Verbal Disclosures: Watch What You Say course to address. It's the single most underdeveloped area of HIPAA training I encounter in the field.

Why "I Didn't Know That Was PHI" Is the Most Expensive Excuse in Healthcare

OCR doesn't accept ignorance as a defense. In fact, failure to train your workforce on what constitutes PHI is itself a violation of 45 CFR §164.530(b), which requires covered entities to train all workforce members on HIPAA policies and procedures.

Consider the 2019 settlement with the University of Rochester Medical Center. OCR imposed a $3 million penalty after unencrypted flash drives and a laptop were lost. The investigation revealed the organization had failed to implement adequate security measures for ePHI — and had not managed device and media controls properly. Staff didn't fully understand what ePHI they were carrying around.

Or look at the 2018 Anthem settlement — $16 million, the largest HIPAA settlement in history — where a phishing attack exposed ePHI of nearly 79 million individuals. The root cause? Insufficient access controls and a workforce that didn't recognize the threat. When your people don't know what PHI looks like in all its forms, they can't protect it.

What Does PHI Include? A Quick-Reference Answer

HIPAA privacy rules include PHI such as any health information — treatment records, billing data, health plan enrollment — combined with one or more of 18 identifiers: names, addresses, dates, phone numbers, email addresses, Social Security numbers, medical record numbers, health plan IDs, account numbers, license numbers, vehicle identifiers, device serial numbers, web URLs, IP addresses, biometric data, full-face photos, and any other unique identifying code. If it identifies a person and relates to their health, payment, or care, it's PHI.

Training That Actually Covers All 18 Identifiers

Generic HIPAA training skims the surface. Your nurses need to know how PHI flows through clinical workflows — from triage to discharge. Your behavioral health staff need to understand the extra protections that apply to psychotherapy notes and substance use disorder records. And every single person in your organization needs to recognize all 18 identifiers on sight.

That's why we built role-specific courses. Our HIPAA Training for Nurses walks through real clinical scenarios where PHI identifiers show up in unexpected places. For behavioral health organizations navigating the intersection of HIPAA and 42 CFR Part 2, our HIPAA Training for Mental & Behavioral Health goes deep on the identifiers and consent requirements unique to that setting.

The Cost of Getting This Wrong vs. Getting It Right

OCR settled or imposed penalties in cases totaling over $142 million since the enforcement program began. Almost every major case traces back to a fundamental failure: the organization didn't know what PHI it had, where it lived, or who could access it.

Getting it right starts with teaching your workforce exactly what qualifies as PHI — not in abstract terms, but with the specific 18 identifiers. Every new hire. Every annual refresher. Every role, from front desk to C-suite.

Your Next Step Is Simpler Than You Think

Pull up your current training materials right now. Search for the 18 identifiers. If your training doesn't list all of them — with examples your staff will actually encounter — you have a gap that OCR can turn into a six- or seven-figure problem.

Browse our full HIPAA training catalog to find role-specific courses that cover every identifier, every disclosure scenario, and every enforcement trend your organization needs to know about in 2026. Your workforce can't protect what they can't identify.