A hospital in Texas once sent a spreadsheet of 3,400 patient records to a business associate — with every column of identifying data still intact. Names, Social Security numbers, dates of birth, medical record numbers. The file was supposed to be de-identified. It wasn't. And the resulting OCR investigation cost the organization years of remediation headaches. The root cause? Staff didn't actually understand what patient identifiers are under HIPAA — or why every single one matters.
If you work at a covered entity or business associate, this isn't an academic question. Knowing what are patient identifiers — and how to handle each one — is the difference between a routine disclosure and a reportable breach. Let me break it down the way I explain it to the organizations I consult with.
What Are Patient Identifiers? The 18 Elements You Must Know
Under the HIPAA Privacy Rule, protected health information (PHI) is any individually identifiable health information held or transmitted by a covered entity or its business associate. The key word is "identifiable." HHS defined exactly 18 types of identifiers that, when linked to health data, make information PHI.
Here's the complete list — straight from HHS's official guidance on de-identification:
- Names — full or partial
- Geographic data — anything more specific than state (street address, city, zip code, etc.)
- Dates — except year — related to an individual (birth date, admission date, discharge date, date of death)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers (including license plates)
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints, retinal scans)
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
That last one is the catch-all, and it's the one that trips up most organizations. A unique patient portal username? An internal tracking code? If it can be used to identify a person, it qualifies.
Why Fax Numbers and IP Addresses Catch People Off Guard
I've seen compliance officers who've been in healthcare for a decade get surprised by some items on this list. Fax numbers? Vehicle identifiers? IP addresses? They don't seem "medical" — and that's exactly the problem.
HIPAA doesn't care whether a data element feels clinical. It cares whether the element can identify a person. A fax number tied to a home machine identifies a specific household. An IP address can pinpoint a device — and by extension, a patient who logged into a portal or submitted a telehealth form.
When your workforce thinks of patient identifiers as just "name and date of birth," they're covering 2 of 18 categories. That leaves 16 wide open for accidental disclosure.
The Real-World Impact of Getting This Wrong
In 2018, the University of Texas MD Anderson Cancer Center lost an appeal on a $4.3 million penalty after unencrypted devices containing ePHI — including multiple patient identifiers — were stolen. The devices held names, medical record numbers, Social Security numbers, and treatment information. OCR's position was clear: the organization knew about the risk and failed to act. You can review the enforcement details on HHS's MD Anderson enforcement page.
The identifiers on those devices weren't exotic. They were the basics — names, SSNs, MRNs. The lesson isn't that you need to worry about obscure data elements. It's that you need to worry about all of them, all the time.
De-Identification: Removing Patient Identifiers the Right Way
The HIPAA Privacy Rule gives covered entities two methods to de-identify PHI. Both revolve around stripping out patient identifiers.
The Safe Harbor Method
Remove all 18 identifiers listed above. If there's no actual knowledge that the remaining information could identify a person, the data is considered de-identified. It's straightforward on paper. In practice, I've watched organizations miss zip codes, leave in dates of service, or forget that a photo embedded in a PDF counts as a full-face image.
The Expert Determination Method
Hire a qualified statistical expert who applies accepted methods to determine that re-identification risk is "very small." The expert documents their analysis. This method is more flexible but more expensive and time-consuming.
Most small to mid-size covered entities default to Safe Harbor. And most Safe Harbor failures come from incomplete removal. Someone scrubs the obvious fields — name, SSN, date of birth — and leaves email addresses or device serial numbers sitting in a metadata field nobody thought to check.
The $1.5 Million Mistake: Treating This as an IT Problem
In 2015, OCR settled with Anchorage Community Mental Health Services for $150,000 after finding that the organization failed to implement adequate safeguards for ePHI. But the larger settlements tell the bigger story. Advocate Medical Group paid $5.55 million in 2016 for breaches involving unencrypted laptops containing patient identifiers like names, addresses, dates of birth, and SSNs.
Here's what I keep coming back to: these weren't sophisticated cyberattacks. They were stolen laptops. Lost thumb drives. Misdirected emails. The underlying failure was almost always the same — someone on staff didn't recognize that the data they were handling contained identifiers that made it PHI.
This isn't something you fix with a firewall. You fix it with workforce HIPAA training that specifically covers what patient identifiers are, where they hide, and how to handle them in every format — paper, electronic, and verbal.
Where Patient Identifiers Hide in Your Daily Workflow
Let me walk you through the places I find unprotected identifiers during risk assessments:
- Email subject lines — Staff put patient names or MRNs right in the subject. Even if the body is encrypted, the subject line often isn't.
- Fax cover sheets — Left on shared printers with patient name, date of birth, and diagnosis visible.
- Scheduling whiteboards — Yes, some clinics still use them. Patient names plus appointment times equals PHI.
- Spreadsheets on shared drives — Created for "quick" reporting, never de-identified, never deleted.
- Screenshots in support tickets — IT staff screenshot error messages that include patient data from the EHR.
- Voicemail messages — A provider leaves a message with the patient's name, medication, and callback number. That's at least three identifiers tied to health information.
Every one of these scenarios involves patient identifiers. Every one creates potential exposure. And every one is preventable with proper awareness.
How Many Identifiers Does It Take to Create PHI?
This is one of the most common questions I get, and it's worth answering directly.
It takes just one. A single identifier — a name, a zip code, a medical record number — linked to health information makes that data PHI under HIPAA. You don't need a combination. You don't need a "threshold." One identifier plus health data equals PHI, and all the Privacy Rule and Security Rule protections apply.
This is why the de-identification standard requires removing all 18 categories. Not most. All.
Building a Workforce That Actually Understands Identifiers
Telling your staff "protect PHI" without teaching them what patient identifiers are is like telling someone to drive safely without explaining what the road signs mean. They might get lucky. But eventually, someone runs a red light.
Effective workforce training covers three things:
- Recognition — Can your front desk staff, billing team, and clinicians identify all 18 categories? Not just name and DOB?
- Context — Do they understand that a medical record number on a sticky note is just as much PHI as a full patient chart?
- Response — When someone realizes they've disclosed an identifier improperly, do they know the breach notification process?
If you're looking to close these gaps, explore the HIPAA training catalog at HIPAACertify.com. The coursework covers each identifier category with practical scenarios your staff will actually encounter.
The Regulatory Framework Behind the 18 Identifiers
The 18 patient identifiers come from the HIPAA Privacy Rule at 45 CFR Part 164, Subpart E, specifically Section 164.514(b). This section outlines the Safe Harbor de-identification standard and lists each identifier that must be removed for data to no longer be considered PHI.
OCR enforces these requirements. HHS publishes guidance. But the actual compliance happens in your exam rooms, your billing offices, and your IT department. It happens when someone pauses before hitting "send" and asks: does this file contain identifiers?
Make Patient Identifiers Part of Your Culture, Not Just Your Policy
Policy binders don't prevent breaches. Culture does. The organizations I've seen handle this best are the ones where every employee — from the CEO to the newest hire — can rattle off at least ten of the 18 identifiers without looking at a chart.
They quiz each other during huddles. They run tabletop exercises. They treat identifier awareness the way pilots treat checklists: not as busywork, but as the thing that prevents catastrophic failure.
Your organization handles patient identifiers every single day. The question is whether your workforce knows they're doing it — and whether they're doing it right.