The 18 PHI identifiers are specific information that can be used to identify an individual in the context of their health records. These identifiers cover a broad range of personal and demographic details.
According to HHS guidance providing the information that needs to be deidentified, “Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI… If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.”
HIPAA provides two ways of determining if information is individually identifiable health information. The first is the Expert Determination method, where an expert with knowledge of statistical and scientific principles evaluates the information to determine that the risk of identification is very low, documenting the analysis and outcomes to justify this determination.
The second is the Safe Harbour method where we can find the 18 PHI identifiers as we know it. These identifiers include data points like names, and email addresses, among others. By systematically removing or adequately protecting these identifiers, healthcare providers, insurers, and other covered entities make sure that health information used for research, operations, or other secondary purposes remains anonymous.
Related: What is protected health information (PHI)?
The identifiers under Section 164.514 (b)(2):
When used alongside information such as the patient's mental or physical health treatment or diagnosis, patient names must be secured during transmission and storage.
Geographical elements include street addresses, cities, counties, and zip codes. This data relates to the ability to contact as well as identify the patient and must be adequately secured.
This information includes admission or discharge date, birthdate, death date, and age-indicative dates.
Telephone numbers are considered PHI and require protective measures to prevent unauthorized access or interception.
Similar to a telephone number, fax numbers are considered PHI.
Email addresses can be linked to individuals and associated with a patient's health information. Beyond ensuring HIPAA compliant email, protecting email addresses helps ensure that patient communications remain secure and confidential, reducing the risk of interception or unauthorized access to sensitive information.
A social security number is a numerical identifier assigned to U.S. citizens and other residents to track income and determine benefits.
Medical record numbers are unique identifiers assigned to individuals' health records. Unauthorized access or disclosure of medical record notes can expose sensitive health details, compromising patient confidentiality.
Health insurance beneficiary numbers, similar to medical records, help identify the health insurance holders and therefore pose the risk of compromising patient privacy and could lead to identity theft or fraud. Furthermore, these numbers could be used to steal healthcare benefits.
An account number, a unique digit set identifying your bank account, must be securely maintained to safeguard patients' financial information used for medical payments. This security is crucial to prevent potential financial fraud.
Certificate or license numbers serve as a form of authentication and verification in various contexts. They can be used to confirm an individual's professional qualifications, credentials, or legal permissions. When combined with other personal information, it can potentially be exploited by identity thieves, similar to social security or medical record numbers. Unauthorized access to these numbers could lead to identity theft.
When combined with other personal information, identity thieves can exploit vehicle identifiers.
Device attributes or serial numbers are identifiers tied to electronic devices like smartphones, tablets, or medical devices. These are often interacted with by healthcare providers during the delivery of healthcare services.
Some URLs to web pages or online resources are often used by healthcare providers for numerous purposes, such as patient education or appointment scheduling. Securing these URLs and other digital identifiers bolsters the security of online platforms, prevents unauthorized access, and upholds the confidentiality of patient data.
An IP address is a numerical label assigned to each device connected to a computer network. It serves as a unique identifier for routing data packets across the internet. IP addresses can provide information about the general location or network from which a device is accessing a website or online service.
Biometric information is unique to an individual and can be used to identify or authenticate their identity. As such, it falls within the scope of PHI and is subject to HIPAA's privacy and security requirements.
Related: Balancing Convenience and Privacy with biometric authentication
These images, which capture an individual's facial features and identity, fall within the scope of PHI as they can uniquely identify a patient. Full face photographic images can provide precise and identifiable information about an individual's appearance, making them fall under the category of PHI.
Under HIPAA, other identifying numbers or codes refer to any unique identifiers or codes that can be used to identify an individual. These identifiers may not fall into the specific categories mentioned earlier, but they are still considered PHI if they can be used to identify an individual.
When sharing data in a manner that doesn't align with the Privacy Rule, it's essential to deidentify all of the identifiers mentioned earlier before disclosure. This additional step ensures an added layer of protection for patient information.
In addition to the safeguards and privacy requirements outlined in the Security and Privacy Rule, healthcare professionals are bound by the Minimum Necessary Rule. This rule ensures that only the minimum amount of information necessary is used, shared, and disclosed, protecting patient privacy and reducing the risk of unauthorized access.
By adhering to the Minimum Necessary Rule and deidentifying data as required, healthcare professionals can maintain a high level of confidentiality while fulfilling their duty to provide effective and efficient healthcare services.
Yes, PHI identifiers can be shared without individual consent under certain circumstances.
In medical research, PHI identifiers are typically removed or altered to protect patient confidentiality unless the research is conducted with patient consent or under a special waiver approved by an Institutional Review Board (IRB).