GuidesPatient experienceWhat are the 18 HIPAA identifiers?

What are the 18 HIPAA identifiers?

Last updated

16 November 2023


Dovetail Editorial Team

Protected health information (PHI) is any information in a person’s medical health record that can be used to uniquely identify, locate, or contact that person. This kind of information is at risk of being hacked by unauthorized personnel if it’s not handled appropriately during storage or transmission.

The HIPAA Privacy Rule protects PHI and ensures that it remains confidential and secure at all times. The 18 HIPAA identifiers below are considered personally identifiable information (PII) and should be safeguarded.

This guide will help you learn more about HIPAA and its identifiers, equipping you with the knowledge you need to stay compliant.

What are the 18 PHI identifiers?

PHI identifiers are pieces of information that can be used to contact or locate the person to whom they belong.

Below are the identifiers HIPAA designates as PHI:

1. Patient names

A patient’s first and last names are considered PHI when recorded or used by a healthcare provider within a healthcare context. The patient’s name must be secured during transmission or storage.

2. Geographical elements

Any geographical element in a patient’s health record that is smaller in scale than a state is considered PHI. These elements include street addresses, counties, and cities.

PHI that covers any dates related to the person’s health are PHI identifiers. These may include the patient’s admission date, treatment date, birth date, and age.

4. Telephone numbers

Any phone number belonging to the individual is considered PHI if maintained in a database containing health information.

5. Fax numbers

Records that contain the individual’s phone number associated with a fax machine can’t be shared without the patient’s authorization because this is classified as a PHI identifier.

6. Email addresses

A patient’s email address is considered PHI if it’s linked to the individual’s health record. Email addresses should remain protected to avoid the risk of interception or unauthorized access to sensitive patient data. Hackers can use a patient’s email address for malware and collect other sensitive information from their device.

7. Social Security numbers

Hackers can use social security numbers for malicious intent, such as falsely acquiring Medicare benefits. This kind of information is classified as a HIPAA identifier as it can also be used to obtain the individual’s sensitive information.

8. Medical record numbers

This is a record that can identify a person receiving medical treatment. It can provide access to medical data and other sensitive information about them.

9. Health insurance beneficiary numbers

This information is assigned to patients by health insurance services. According to HIPAA, it should be protected from unauthorized access.

10. Account numbers

An individual’s account numbers are classified as HIPAA identifiers.

11. Certificate/license numbers

Access to an individual’s license number can be used in combination with other PHI to steal someone’s personal identity. As a result, certificate numbers are considered HIPAA identifiers.

12. Vehicle identifiers

License plate numbers or serial numbers of vehicles belonging to patients are HIPAA identifiers, as hackers with malicious motives can use them to locate the individual.

13. Device attributes or serial numbers

Serial numbers that are assigned to the individual’s medical devices are PHI; for instance, the serial number of a heart monitor. If a device like this transmits PHI data, it must be handled in a HIPAA-compliant way.

14. Digital identifiers, including some URLs

Patient information such as name and date of birth can be leaked by unauthorized personnel and used to locate an individual when URLs are cached in browser history. These include website URLs that can be used to track electronic transactions.

15. IP addresses

IP addresses are considered PHI under HIPAA regulations. These unique identifiers can be used to track the individual’s location if the information is accessed by unauthorized personnel.

16. Biometric elements, including finger, retina, and voice prints

Biometrics are unique physical characteristics that identify an individual. This information can be used to impersonate that person. It must be safeguarded as a result to protect the confidentiality and integrity of patient information.

17. Photographs of a patient’s face

Facial images taken by healthcare providers and used in a healthcare context are considered PHI. A patient’s photo is also considered PHI if it contains patient identifiers such as their name, date of birth, address, or social security number.

18. Other identifying numbers or codes

These include any other numerical characteristics that can be used to identify a person.

Using the 18 HIPAA identifiers

These 18 HIPAA identifiers play a crucial role in healthcare. Healthcare service providers use them during treatment to identify individual patients.

Furthermore, having an understanding of the 18 identifiers allows covered entities to comply with HIPAA regulations.

The identifiers can also be used in healthcare settings to

  • Develop healthcare protocols

  • Implement clinical guidelines

  • Coordinate patient care

  • Conduct training programs for healthcare providers

  • Detect fraud and abuse of HIPAA regulations

The HIPAA Privacy Rule

The HIPAA Privacy Rule is a set of standards for the privacy of individually identifiable health information.

It establishes policies protecting individually identifiable health information held or transmitted by a covered entity. It also sets standards for accessing the information. For instance, the rule defines who can access PHI and the circumstances in which it can be used.

Under the Privacy Rule, covered entities can’t allow the 18 identifiers to be disclosed except for treatment, public health purposes, or HIPAA-permitted research. None of the identifiers can be disclosed without patient authorization.

The HIPAA Security Rule

The HIPAA Security Rule was established to guide covered entities on technical, administrative, and physical safeguards for maintaining electronic PHI’s confidentiality, integrity, and availability.

The security rule establishes strict data encryption guidelines that ensure authorized personnel only access PHI information using a secure password.

The technical safeguards outlined in the rule include the use of antivirus software, firewalls, and intrusion-detection systems. The administrative safeguards include policies that limit access to the 18 identifiers, training, and educating employees about the best approaches to security.


What is an identifier under HIPAA?

HIPAA identifiers are found on medical records stored in healthcare databases that can be used to identify, contact, or locate an individual.

What are examples of indirect identifiers?

Indirect identifiers are those that need to be combined with other information to potentially identify a person. They can include ethnicity, race, or information available through other sources.

What are the three unique identifiers?

Some unique identifiers are email addresses, names, social security numbers, and telephone numbers.

Get started today

Go from raw data to valuable insights with a flexible research platform

Start freeContact sales

Editor’s picks

What does ‘access to healthcare’ mean?

Last updated: 27 June 2023

7 best healthcare website designs 2024

Last updated: 11 September 2023

What are the 18 HIPAA identifiers?

Last updated: 16 November 2023

PHI vs. PII: What’s the difference?

Last updated: 28 September 2023

What are quality measures in healthcare?

Last updated: 25 November 2023

Related topics

Product developmentPatient experienceResearch methodsEmployee experienceSurveysMarket researchCustomer researchUser experience (UX)


OverviewChannelsMagicIntegrationsEnterpriseInsightsAnalysisPricingLog in


About us
© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started for free


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy