18 HIPAA PHI Identifiers
HIPAA regulations are in place to ensure that you protect and secure the patient data that as a healthcare business, you have access to and collect. The Department of Health and Human Services (HHS) has identified 18 patient identifier categories as it pertains to their guidance on satisfying the safe harbor method for de-identification per §164.514(b):
- Name of the patient or individual
- Address – this includes any geographical subdivisions smaller than the state of residence, including street address, city, county, zip code, precinct, and equivalent geocodes. There are additional criteria for identifying zip codes which can be found here
- Any Date – any date that is directly related to an individual. This includes dates that identify their admission or discharge date, birthdate, death date, and age indicative dates (over 89 unless aggregated into a single subset of age 90 and over)
- Telephone Number – this would include home and mobile numbers
- Fax Number – while not as common today, it is still included in the list of identifiers
- Email Address
- Social Security Number
- Medical Record Number – these are associated with your charts and medical data
- Health Plan Beneficiary Number – the number assigned to you within the health insurance system
- Account Number – can apply to multiple records
- Certificate or License Number – such as your driver’s license, CPR certification number, passport, etc.
- Vehicle Identifier – any VIN or serial number, as well as license plate numbers
- Device Identifier or Serial Number – medical devices used in your treatments or during procedures
- Web Universal Resource Locators URL – websites used or accessed can provide an online history
- Internet Protocol (IP) Address – this can be used to track your location
- Biometric Identifiers – facial recognition, fingerprint scans, etc.
- Full Face Photo – combined with other PHI, this can allow for a fraudulent identity to be created
- Any other unique identifying numbers, characteristics, or codes
Why It Matters
Knowing what is considered a PHI identifier will help you ensure you’re protecting the appropriate data. This is critical to HIPAA compliance and because this information is valuable to the cyber-criminal community. While the individual pieces of data may not seem like they can cause an issue if stolen, combined with other records found online and on the dark web about an individual, they can wreak havoc in an individual’s life if stolen. Protecting your business and your patient’s information are not always the same thing, and strong cybersecurity practices put in place alongside your HIPAA compliance posture will increase your defense against cybercrime.