What Is PHI in HIPAA: 18 Identifiers With Examples (2025)

Data is both a benefit and a drawback in the current digital healthcare environment. In addition to being vital for providing care, the data gathered by clinics, hospitals, insurance companies, and other healthcare organizations is extremely sensitive. This information is known as Protected Health Information (PHI), and under the Health Insurance Portability and Accountability Act (HIPAA), it must be safeguarded against misuse, exposure, or unauthorized access.

For healthcare organizations and their business associates, understanding PHI in HIPAA is not optional; it’s a legal requirement and a cornerstone of HIPAA compliance requirements.

HIPAA defines PHI by listing 18 HIPAA identifiers, which, when combined with health-related data, can directly or indirectly identify an individual. These identifiers range from names and addresses to biometric identifiers and IP addresses.

What Does PHI Mean?

Protected Health Information, or PHI, is a fundamental idea in HIPAA rules. In a nutshell, PHI is any data that can be connected to a specific person and is related to that person’s health, medical treatment, or payment for medical services. PHI might be spoken, written, or electronic, and is not just found in medical records.

Key aspects of PHI include:

• Individually Identifiable: Information must be capable of identifying the individual directly or indirectly.
• Health-Related: It must relate to a person’s past, present, or future health condition or treatment.
• Linked to Payment or Services: It includes details about health insurance, billing, or payment for healthcare services.

Why PHI Is Important for HIPAA Compliance

The foundation of HIPAA compliance requirements is PHI. HIPAA was passed in order to safeguard individuals’ private health information while allowing the exchange of medical records for operations, payment, and treatment.

Major consequences can arise from improper PHI management, including:

• Legal Penalties: HIPAA violations can result in fines ranging from $100 to over $1.5 million per year, depending on severity.
• Reputational Damage: Patients and clients lose trust when their health data is compromised.
• Operational Disruption: Data breaches often require extensive remediation, audits, and security overhauls.

PHI is critical because it defines the scope of what healthcare organizations must protect. Every element in the HIPAA identifiers list, when linked with health data, becomes PHI, triggering legal obligations to safeguard it.

PHI isn’t just data; it’s the key metric that determines whether an organization meets HIPAA PHI compliance standards. Proper understanding and management of PHI are essential to protect patients and maintain trust in a healthcare system increasingly dependent on digital information.

The 18 HIPAA Identifiers

The HIPAA identifiers list specifies 18 types of data that, when associated with health information, make it Protected Health Information (PHI). Below, we explain each identifier with practical Protected Health Information examples.

1. Names

   • Full name, maiden name, or even initials if linked with health data.
   • Example: “John D. – Cancer treatment notes.”

2. Geographic Data

   • Street address, city, county, ZIP code, or anything more specific than the first three digits of a ZIP code.
   • Example: “123 Oak Street, Chicago, IL – patient billing statement.”

3. All Elements of Dates (Except Year)

   • Birthdate, admission date, discharge date, death date, and exact ages over 89.
   • Example: “Admitted on March 10, 2024, for heart surgery.”

4. Telephone Numbers

   • Any personal or work number tied to health records.
   • Example: “Patient follow-up call scheduled at (555)-123-4567.”

5. Fax Numbers

   • Though less common today, many healthcare systems still use faxes.
   • Example: Lab results sent to “(555)-654-3210.”

6. Email Addresses

   • Both personal and work-related emails containing PHI.
   • Example: “MRI scan results sent to jane.doe@email.com.”

7. Social Security Numbers (SSNs)

   • One of the most sensitive identifiers.
   • Example: “SSN: 123-45-6789 in hospital billing.”

8. Medical Record Numbers

   • Unique identifiers tied directly to a patient’s records.
   • Example: “Patient ID MRN-234567.”

9. Health Plan Beneficiary Numbers

   • Used by insurers and health plans.
   • Example: “Medicare ID 987654321.”

10. Account Numbers

    • Any billing or payment account numbers tied to care.
    • Example: “Account #002347 for surgical payment.”

11. Certificate/License Numbers

    • Driver’s licenses or professional healthcare licenses.
    • Example: “Nursing license number associated with patient records.”

12. Vehicle Identifiers and Serial Numbers

    • License plates, VIN numbers if linked to health information.
    • Example: “Accident report for patient with vehicle plate ABC-123.”

13. Device Identifiers and Serial Numbers

    • Devices used in patient care (pacemakers, implants, wearables).
    • Example: “Pacemaker Serial #X123 tied to patient monitoring.”

14. Web URLs

    • Links that reveal patient portals or health-related accounts.
    • Example: “https://hospital.com/patient/johnsmith.”

15. IP Addresses

    • Identifiers for patient logins or telehealth sessions.
    • Example: “Telehealth login from IP 192.168.1.1.”

16. Biometric Identifiers

    • Fingerprints, voiceprints, retinal scans, or facial recognition data.
    • Example: “Fingerprint used for secure hospital entry.”

17. Full Face Photographic Images and Comparable Images

    • Any image where the patient can be recognized.
    • Example: “Profile photo in medical chart.”

18. Any Other Unique Identifying Code, Characteristic, or Number

    • Catch-all for identifiers not listed but unique to an individual.
    • Example: “Unique patient wristband code XZY456.”

PHI vs PII: Understanding the Difference

Despite their apparent similarities, personally identifiable information (PII) and protected health information (PHI) have different uses and are subject to separate laws. For HIPAA compliance as well as more general cyber compliance initiatives, it is essential to understand the difference.

Personally Identifiable Information (PII) refers to any information that can identify an individual, whether or not it relates to their health. PII is a broader category used in various contexts, including finance, education, and government.

Examples of PII:

• Social Security numbers
• Email addresses
• Phone numbers
• Driver’s license numbers
• Financial account details

PII is governed by privacy laws like GDPR, CCPA, and federal regulations, depending on the context and region.

How PHI Is Used in Healthcare

Protected Health Information (PHI) is at the heart of modern healthcare, enabling providers to deliver quality care while maintaining patient privacy. PHI is used in various aspects of healthcare operations, including:

1) Treatment and Care Coordination

PHI allows healthcare professionals to access comprehensive patient histories, lab results, imaging, and medications, ensuring informed decision-making.
Example: A cardiologist reviews a patient’s past ECG reports and medication history before prescribing a new treatment plan.

2) Payment and Billing

Health insurers and healthcare providers rely on PHI to process claims, invoices, and reimbursements accurately.
Example: A hospital bills a patient’s insurance using their health plan number and details of procedures performed.

3) Healthcare Operations

PHI supports administrative functions, audits, quality assessment, and staff training, helping organizations maintain high standards of care.
Example: Analyzing patient data trends to improve emergency room response times.

4) Research and Public Health

De-identified PHI is essential for clinical studies, epidemiology, and public health reporting, enabling advancements in medical knowledge without compromising individual privacy.
Example: Aggregated patient data is used to track COVID-19 trends while protecting individual identities.

5) Patient Communication

PHI ensures secure communication between providers and patients, from test results to appointment reminders and telehealth services.
Example: Sending lab results to a patient’s encrypted patient portal account.

Common PHI Violations and Risks

Mishandling PHI puts healthcare institutions at serious danger. In addition to jeopardizing patient privacy, violations may result in monetary fines and harm to one’s reputation. Typical PHI infractions and dangers include:

1. Unauthorized Access
2. Data Breaches
3. Improper Disposal
4. Lost or Stolen Devices
5. Insufficient Data Encryption

How to Protect PHI in Your Organization

Protecting Protected Health Information (PHI) is essential for healthcare organizations, not only to meet HIPAA compliance requirements but also to maintain patient trust and minimize the risk of costly data breaches.

One of the first steps in protecting PHI is implementing role-based access controls. Not every employee needs full access to patient records; access should be strictly limited to those whose roles require it. Adding multi-factor authentication (MFA) ensures that even if login credentials are compromised, unauthorized access can be prevented.

Encryption is another critical safeguard. All electronic PHI (ePHI), whether stored in electronic medical records, cloud databases, or transmitted through patient portals, should be encrypted. For instance, lab results sent to patients via a secure portal must be encrypted end-to-end to maintain confidentiality.

Staff training plays a central role in protecting PHI as well. Employees must understand HIPAA regulations, how to handle sensitive information, and how to recognize phishing attempts or other cyber threats. Training should be continuous, with refresher sessions and simulated security incidents to reinforce proper behavior.

In addition to technical safeguards, monitoring and auditing systems is essential. Maintaining detailed logs of who accesses PHI, when, and from which device allows organizations to detect unusual patterns that may indicate unauthorized activity.

PHI in Electronic Records vs Paper Records

Protected Health Information (PHI) exists in both electronic and paper formats, and each presents unique challenges for security and compliance. Understanding the differences between electronic PHI (ePHI) and paper-based PHI is critical for implementing effective safeguards across your organization.

Electronic PHI (ePHI) is stored in electronic medical records (EMRs), cloud databases, patient portals, and other digital systems. Its advantages include ease of access, faster sharing between healthcare providers, and the ability to integrate with analytics tools for better patient care. However, ePHI is vulnerable to cyber threats, such as ransomware, phishing attacks, and unauthorized access.

On the other hand, paper-based PHI includes printed medical charts, billing forms, prescription notes, and handwritten documentation. While paper records are immune to hacking, they are susceptible to loss, theft, and unauthorized viewing. Protecting paper PHI requires strong physical security protocols, such as locked cabinets, controlled access areas, visitor monitoring, and secure disposal practices like shredding outdated documents.

Both forms of PHI demand careful handling. Organizations must implement integrated policies that address the security, access, and lifecycle management of PHI, regardless of its format.

Understanding PHI in HIPAA and its associated 18 HIPAA identifiers is essential for any organization handling healthcare data. Protecting PHI is not just about legal compliance, it is about safeguarding patient trust and maintaining operational integrity.

At CyberShield CSC, we help organizations strengthen HIPAA compliance, implement PHI security best practices, and stay one step ahead of evolving threats.