In 2023, OCR settled with a New England dermatology practice for $300,640 after an investigation revealed that protected health information — including names, dates of birth, and Social Security numbers — had been impermissibly disclosed. The root cause wasn't a sophisticated cyberattack. It was a fundamental failure to understand which data elements qualify as PHI identifiers under HIPAA and how to safeguard them. This is a scenario I see repeated across covered entities of every size.

What Are PHI Identifiers Under HIPAA?

The HIPAA Privacy Rule, codified at 45 CFR §164.514, defines protected health information as any individually identifiable health information held or transmitted by a covered entity or its business associate. PHI becomes "individually identifiable" when it includes specific data elements — known as identifiers — that can link health data to a particular person.

Understanding which data elements constitute PHI identifiers under HIPAA isn't optional. It's the foundation of every privacy decision your organization makes, from releasing records to de-identifying datasets for research.

The 18 HIPAA Identifiers Your Workforce Must Recognize

The Privacy Rule specifies exactly 18 types of identifiers. When any of these appear alongside health information or payment data, the record qualifies as PHI and triggers all HIPAA protections. Here's the complete list:

  • Names — full or partial
  • Geographic data — anything more specific than state (street address, city, ZIP code, precinct)
  • Dates — except year — directly related to an individual (birth date, admission date, discharge date, date of death)
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers (including license plate numbers)
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints, retinal scans)
  • Full-face photographs and any comparable images
  • Any other unique identifying number, characteristic, or code

That final catch-all category is where many organizations stumble. Patient portal usernames, internal tracking codes, and even research subject IDs can qualify as PHI identifiers when they're linkable to health data.

De-Identification: How PHI Identifiers HIPAA Rules Create a Safe Harbor

The Privacy Rule provides two methods for de-identifying health information so it no longer qualifies as PHI. The first — and most commonly used — is the Safe Harbor method under §164.514(b)(2). It requires removal of all 18 identifiers listed above, plus the organization must have no actual knowledge that the remaining data could identify an individual.

The second method is Expert Determination under §164.514(b)(1), where a qualified statistical expert certifies that the risk of identification is "very small." Healthcare organizations consistently underestimate how rigorous this standard is. A single retained ZIP code or date range can defeat de-identification if the underlying population is small enough.

Common De-Identification Mistakes

In my work with covered entities, I see three recurring errors. First, organizations truncate ZIP codes to three digits but forget that ZIP codes with populations under 20,000 must be replaced with "000" under Safe Harbor. Second, teams strip obvious identifiers like names and SSNs but leave medical record numbers embedded in file metadata. Third, IT departments share "de-identified" datasets internally without verifying that the catch-all 18th identifier — any unique code — has been addressed.

The Minimum Necessary Standard and PHI Identifiers

Recognizing the 18 identifiers is only step one. The minimum necessary standard under §164.502(b) requires your organization to limit PHI disclosures to the fewest identifiers needed for the intended purpose. If a business associate only needs dates of service and diagnosis codes for billing analytics, sending full records with names, SSNs, and addresses is a violation — even if the recipient is authorized to receive PHI.

OCR enforcement actions routinely cite minimum necessary failures. Your policies should specify, role by role, which identifiers each workforce member may access. Generic "full access" permissions across your EHR are a compliance liability.

Where Organizations Get PHI Identifiers Wrong

Several areas generate disproportionate risk:

  • Marketing communications. Using email addresses or phone numbers tied to patient records for marketing without a valid HIPAA authorization violates the Privacy Rule. The Omnibus Rule tightened these requirements significantly in 2013.
  • Business associate agreements. Your BAA must specify the categories of PHI — including which identifiers — a business associate may create, receive, maintain, or transmit. Vague BAAs leave both parties exposed.
  • Research and analytics. Sharing datasets with third-party researchers demands rigorous de-identification. A single overlooked identifier can convert an entire dataset back into PHI, triggering Breach Notification Rule obligations if it's compromised.
  • Patient portals and apps. IP addresses and device identifiers collected through patient-facing technology are PHI identifiers when associated with health information. Many organizations fail to account for these digital identifiers in their risk analysis.

Risk Analysis Must Account for Every Identifier

The HIPAA Security Rule at §164.308(a)(1) requires covered entities and business associates to conduct an accurate, thorough risk analysis. That analysis must evaluate threats to all PHI your organization handles — which means mapping every location where the 18 identifiers exist. Server logs with IP addresses, voicemail systems storing phone numbers paired with appointment details, and scanned images of insurance cards all fall within scope.

If your last risk analysis didn't inventory these less-obvious repositories of PHI identifiers, it's incomplete. OCR has penalized organizations specifically for inadequate risk analyses that failed to identify where PHI resides.

Workforce Training on PHI Identifiers Is Non-Negotiable

Under §164.530(b), every member of your workforce must receive training on your organization's PHI policies and procedures. In practice, this means every employee, volunteer, and trainee needs to understand what the 18 identifiers are, how to handle them, and when the minimum necessary standard applies.

Generic annual slideshows won't achieve this. Your training program should include scenario-based exercises — "Does this email contain PHI?" "Which identifiers must be removed before sharing this report?" — that force real decision-making. If your current program falls short, investing in comprehensive HIPAA training and certification is the most direct way to close the gap.

Building a Culture of Identifier Awareness

Training shouldn't be a once-a-year checkbox. Covered entities with strong compliance programs reinforce PHI identifier awareness through regular reminders, updated Notice of Privacy Practices documents, and role-specific refresher sessions. At HIPAA Certify, we help organizations build workforce compliance programs that embed this knowledge into daily operations — not just annual reviews.

Action Steps to Strengthen PHI Identifier Protections Today

  • Audit your data inventory for all 18 identifiers — including digital identifiers like IP addresses and device serial numbers.
  • Review and update business associate agreements to specify which PHI identifiers each partner may access.
  • Apply the minimum necessary standard in your EHR access controls, limiting identifier visibility by workforce role.
  • Validate de-identification processes against the Safe Harbor checklist, paying special attention to ZIP codes and the catch-all 18th category.
  • Enroll your workforce in up-to-date HIPAA training that covers identifier recognition, de-identification standards, and real-world enforcement scenarios.

Every HIPAA violation involving PHI traces back to an identifier that wasn't properly protected. Knowing all 18 — and building systems that treat each one with the gravity the Privacy Rule demands — is the most practical step your organization can take to reduce risk and stay ahead of OCR scrutiny.