There are 18 Identifiers of Protected Health Information (PHI) that you need to understand to secure this valuable information.  

What is PHI?

Protected Health Information (PHI) is any information that shows up in a medical record that can be used to identify an individual that was created, used or disclosed in the course of providing a health care service. For Covered Entities and Business Associates to protect health information, it is important that they are aware of these 18 identifiers that indicate information qualifies as PHI.


The 18 Identifiers of Protected Health Information (PHI)


What information is considered PHI? Under the HIPAA Privacy Rule Identifiers of PHI include the following:

1. Name of the patient or individual

2. Address - this includes any geographical subdivisions smaller than the state of residence, including street address, city, county, zip code, precinct, and equivalent geocodes.  The US Department of Health and Human Services provides additional criteria for identifying zip codes which can be found here

3. Any Date - any date that is directly related to an individual.  This includes dates that identify their admission or discharge date, birth date, death date, and age indicative dates

4. Telephone Number - this includes home and mobile phone numbers

5. Fax Number - while not as common today, it is still included in the list of identifiers

6. Email Address

7. Social Security Numbers

8. Medical Record Number - these are associated with patient charts, medical data and medical records

9. Health Plan Beneficiary Number - the number assigned within the health insurance system

10. Account Number - can apply to multiple records

11. Certificate or License Number - This includes driver's license, CPR certification number, passport, etc. 

12. Vehicle Identifier - any VIN, serial numbers, or license plate numbers

13. Device Identifier or Serial Number - medical devices used in treatments or during procedures

14. Web Universal Resource Locators URL - any websites used or accessed can provide an online history

15.  Internet Protocol (IP) Address - this can be used to track locations

16. Biometric Identifiers - facial recognition, fingerprint scans, etc. 

17. Full Face Photo - combined with other PHI, this can allow for a fraudulent identity to be created 

18. Any other unique identifying numbers, characteristics or codes


What is the difference between PHI and ePHI?

ePHI, or electronic PHI, is protected health information that can be received, transferred, or saved in an Electronic Format. Companies are instructed to adhere to certain safety measures to make sure the information is secure.

You can find ePHI in emails, flash drives, computers, and in cloud hosting platforms. The Security Rule that was passed by HHS (U.S. Department of Health and Human Services) was implemented to protect personal health and sensitive information because when information became electronic, companies and covered entities started handling ePHI as a part of their daily operations. The unwanted disclosure of ePHI, along with unauthorized access, can lead to data breach problems that nobody wants to go through.


Why is Protecting PHI Important?

The availability of PHI is ubiquitous. Protected health information is the reason cyber criminals target healthcare organizations and healthcare clearinghouses. Covered Entities and Business Associates are targeted by cyber criminals because a healthcare data record can be valued up to $250 per record on the black market, compared to $5.40 for a credit card, the next highest valued record. This data has the potential to be extremely profitable to those with malicious intent, thus making it critical for IT professionals to take the necessary steps to secure this information.

If a data breach occurs, it’s important that it's noticed quickly. The longer it takes to detect, the more records the thief can get access to. It can be devastating for a person to have their personal information leaked online as it can take months, and sometimes even years to fully recover.

It’s important that PHI is protected so thieves can’t get access to private health information. Fewer people will deal with these data breaches if their PHI is securely protected. 



Let’s face it, patients expect their providers to protect their private health information. Protecting PHI is critical, therefore understanding what information is considered PHI is necessary to put the safeguards in place to keep it secure.   

Are you doing enough to protect PHI? 

Need help with protecting PHI, meeting HIPAA compliance requirements, or conducting a Security Risk Analysis? Call Intellisuite at 877-843-5767, or Request a Call from an IT Professional Now

If you want to learn about ePHI and the best ways to protect it click this link:

Download Our HIPAA Security Rule Checklist


HIPAA Secure Now

Department of Health and Human Services

Sean Doherty

Written by Sean Doherty