ChartRequest Logo

+1 (888) 895-8366

What are the 18 Identifiers of Protected Health Information?


In 1996, the Department of Health and Human Services (HHS) passed the Health Insurance Portability and Accountability Act (HIPAA). This legislation changed the way healthcare providers could disclose patient information. 

Today, HIPAA requires covered entities and their business associates to protect all individually identifiable health information (IIHI). There’s also personally identifiable information (PII), which is synonymous with IIHI.

If you’d like to read more about HIPAA, click here.

There are 18 identifiers that determine whether individually identifiable health information is also protected health information. Before we discuss PHI, let’s briefly cover (IIHI).


Passed in 2000, the HIPAA Privacy Rule protects all individually identifiable health information (IIHI) from unauthorized use or disclosure by covered entities or their business associates. Whether these professionals share this information electronically, physically, or even orally, they must protect it.

Need to brush up on the Privacy Rule? Click here to learn more!

So what counts as individually identifiable health information? HHS defines IIHI as any information related to:

  1. Any of the individual’s mental health or condition details
  2. Any of the individual’s healthcare details
  3. Payment details for the individual’s care
  4. Information that can identify the individual

When comparing protected health information and individually identifiable health information, think of squares and rectangles. All PHI is also IIHI, but not all IIHI is PHI. You can determine whether any information is PHI or IIHI by checking the 18 identifiers of PHI defined by HHS.


Safeguarding protected health information is a key objective of HIPAA. As such, HHS needed to define what specifically constitutes PHI. 

If IIHI contains at least one of the following details, HHS considers it PHI:

  1. Name: The name(s) of relatives, friends, or anybody else with a connection to the individual.
  2. Address: Any address elements smaller than state.
  3. Dates: Any element of the individual’s notable dates such as date of birth, admission, discharge, death, and exact age if 90 or older.
  4. Telephone Number(s): Any current or previous phone numbers.
  5. Fax Number(s): Any current or previous fax numbers.
  6. Email Address(es): Any current or previous email addresses.
  7. Social Security Number: The individual’s complete or partial SSN.
  8. Medical Record Number: The number your facility assigned the individual.
  9. Health Plan Beneficiary Number: The number assigned to the individual by their health plan.
  10. Account Number(s): Numbers assigned to the individual for any of their accounts.
  11. Certificate or License Number: Any number listed on a certification or license, such as their driver’s license.
  12. Vehicle Identifiers: Information that identifies the individual’s car, such as serial numbers and license plate numbers.
  13. Device Identifiers: Information that identifies the individual’s device, such as serial numbers.
  14.  Web URL: The Uniform Resource Locator (URL) of the individual’s website(s).
  15.  IP Address: The Internet Protocol (IP) Address the individual uses to connect to the internet.
  16.  Biometric Identifiers: The patient’s unique biological characteristics such as fingerprint, voice print, and facial recognition details.
  17.  Photographic Images: Any photograph of the individual, including those that don’t show their face. 
  18.  Other: Any other uniquely characteristic, code, or number that can identify the individual.


When covered entities, business associates, or patients leak protected health information, HIPAA penalties aren’t the only risk. Cybercriminals worldwide stand to gain from using the sensitive information housed in health records.

Whether this information is shared maliciously, used to steal the patient’s identity, or sold illegally, the ramifications of a records breach can be devastating. That’s why ChartRequest prioritizes the security of protected health information.

By exchanging records online with ChartRequest, you can avoid major threat vectors used by hackers, phishers, and other cybercriminals. Click here to learn more about threat vectors in healthcare.

With specialized dashboards for patients, healthcare professionals, and non-healthcare professionals, we’ve created a one-size-fits-all approach to medical record exchange. Additionally, we have unique options for each version so everyone on ChartRequest gets the exact service they need.

Medical record exchange doesn’t need to be complicated. Take the first step, sign up for your ChartRequest account today, and take the secure, compliant release of information into your own hands.

Learn about how our 5 tips for reducing burnout in healthcare can improve staff retention and ensure a great patient experience.
Computer Laptop
Medical records are a crucial aspect of healthcare, providing healthcare providers with comprehensive information about a patient’s medical history. If you’re still keeping records on
Retrieving Client Medical Records
Learn how care coordination software can help your hospital improve the patient experience, reduce overhead costs, and increase revenue.
Information Blocking
The Cures Act information blocking exceptions enable healthcare providers to adjust or decline certain medical records requests.
Accounting Disclosures
An accounting of disclosures is more complicated than one may think, so we've assembled a guide for healthcare providers to navigate accounting requests.
Law Firm
On November 28, 2022, the Substance Abuse and Mental Health Services Administration (SAMHSA) released a Notice of Proposed Rulemaking in collaboration with HHS through OCR.