What are the 18 HIPAA identifiers?

The 18 identifiers include names, geographic data, dates, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number.

What is de-identification under HIPAA?

De-identification under HIPAA can be achieved through the Expert Determination method (45 CFR 164.514(b)(1)) where a qualified statistical expert certifies low re-identification risk, or the Safe Harbor method (45 CFR 164.514(b)(2)) where all 18 identifiers are removed.

What is Protected Health Information (PHI)?

Q: What is Protected Health Information (PHI)?

PHI is individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium, as defined in 45 CFR 160.103.

Regulatory basis: PHI is defined at 45 CFR 160.103. De-identification standards are specified at 45 CFR 164.514(a)-(c). The Privacy Rule governing use and disclosure of PHI is codified at 45 CFR Part 164, Subpart E.

Definition

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. Under 45 CFR 160.103, individually identifiable health information is a subset of health information, including demographic information, that:

Is created or received by a health care provider, health plan, employer, or health care clearinghouse
Relates to the past, present, or future physical or mental health condition of an individual, the provision of health care to an individual, or the past, present, or future payment for health care
Identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual

The 18 HIPAA Identifiers

The Safe Harbor method of de-identification (45 CFR 164.514(b)(2)) specifies 18 categories of identifiers that must be removed for information to be considered de-identified:

#	Identifier	Scope
1	Names	Full name or any part (first, last, maiden, alias)
2	Geographic data	All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code (first 3 digits may be retained if the geographic unit contains more than 20,000 people)
3	Dates	All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death; ages over 89 and all elements of dates for such ages
4	Telephone numbers	All telephone numbers
5	Fax numbers	All fax numbers
6	Email addresses	All email addresses
7	Social Security numbers	All SSNs
8	Medical record numbers	Numbers assigned by the covered entity
9	Health plan beneficiary numbers	Numbers assigned by health plans
10	Account numbers	Any account number
11	Certificate/license numbers	Any certificate or license number
12	Vehicle identifiers and serial numbers	Including license plate numbers
13	Device identifiers and serial numbers	Including medical device UDIs
14	Web URLs	Any web universal resource locator
15	IP addresses	Any internet protocol address number
16	Biometric identifiers	Fingerprints, voiceprints, retinal scans
17	Full-face photographs	Any comparable images
18	Any other unique identifying number, characteristic, or code	Except as permitted for re-identification under 164.514(c)

PHI vs. ePHI

PHI

Protected Health Information in any form -- paper records, oral communications, electronic data. Governed by the Privacy Rule (45 CFR Part 164, Subpart E).

ePHI

Electronic Protected Health Information -- PHI that is created, received, maintained, or transmitted in electronic form. Governed by both the Privacy Rule and the Security Rule (45 CFR Part 164, Subpart C).

De-identification Methods

Expert Determination

45 CFR 164.514(b)(1)

A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable applies such principles and methods and determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, to identify an individual. The methods and results of the analysis must be documented.

Safe Harbor

45 CFR 164.514(b)(2)

Remove all 18 categories of identifiers listed above, and the covered entity has no actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual.

What is NOT PHI

The following are commonly mistaken for PHI but do not meet the regulatory definition:

De-identified data -- information that has been de-identified per 45 CFR 164.514(a)-(c) is no longer PHI and is not subject to HIPAA.
Employment records -- health information held by a covered entity in its role as employer (not as health care provider) is not PHI under HIPAA, though it may be protected by other laws.
Education records -- covered by FERPA, not HIPAA, for educational institutions.
Data held by non-covered entities -- fitness trackers, health apps, and consumer health devices not operated by or on behalf of a covered entity are generally not subject to HIPAA (though may be subject to FTC or state laws).

Practical Guidance

When in doubt about whether information constitutes PHI, apply the conservative interpretation: if the data relates to health and could reasonably identify an individual, treat it as PHI. The penalties for unauthorized disclosure of PHI range from $100 to $50,000 per violation under 45 CFR 160.404, with an annual maximum of $1.5 million per violation category. Criminal penalties under 42 USC 1320d-6 can include fines up to $250,000 and imprisonment up to 10 years.