Protected Health Information (PHI) includes any individually identifiable health information transmitted or maintained in any form or medium (e.g., electronic, paper, oral) by a covered entity or its business associate.

Individually identifiable health information is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and
  • that identifies the individual, or
  • for which there is a reasonable basis to believe it can be used to identify the individual.

When personally identifiable information is used in conjunction with an individual's physical/mental health or condition, health care, or payment for that health care, it becomes Protected Health Information (PHI). Below we have included a list of the 18 HIPAA identifiers. 

18 HIPAA Identifiers: 

1. Names
2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Telephone numbers
5. Fax Numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code that could uniquely identify the individual

If data contain any of these identifiers, or parts of the identifier (e.g., initials), the data are identifiable.   To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. For more information about how to de-identify the data according to the HIPAA privacy rule, refer to this HHS Guidance.