What is individually identifiable health information?

COVID-19 telehealth services

The Health Insurance Portability and Accountability Act of 1996 sets out to ensure the security and privacy of patient data. But only a subset of health information is covered by HIPAA. It must be “individually identifiable health information”, which leads us to the question: what is individually identifiable health information? How can it be distinguished from other sorts of information? And why is it so important to protect?

Before answering “what is individually identifiable health information”, it would be useful to define what “health information” is in the context of HIPAA. In a nutshell, health information is any data that contains details of past, present, or future medical conditions (physical or mental), the treatments for those conditions, and the payment for those treatments. 

Additionally, HIPAA only applies to health information that has been generated, received, or is maintained by a HIPAA Covered Entity or their Business Associate. Covered Entities are health plans, healthcare providers, or healthcare clearinghouses that handle PHI. They may enter into a Business Associates Agreement with a third party (who then becomes a Business Associate), who will then undertake certain actions on behalf of the Covered Entity. Both Covered Entities and Business Associates have responsibilities under HIPAA. 

So, that clarifies what health information is. But HIPAA applies explicitly to “protected health information”, or PHI. This PHI is set apart from other health information as it contains one of 18 HIPAA identifiers, pieces of demographic, social, and economic information that can be used to trace the identity of an individual. 

The 18 identifiers are as follows: 

  1. Full name or last name and initial(s)
  2. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
  3. Dates directly related to an individual, other than year
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. IP addresses
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

It goes without saying that these identifiers are very sensitive in nature. If a criminal accessed them, they could be used for identity theft or insurance fraud, leaving the patient vulnerable to the consequences of both of these acts. It is because of this threat, and others, that HIPAA has so many requirements in place to safeguard a patient’s identifiable information. 


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

However, it is possible to “de-identify” PHI by removing these 18 identifiers (or ensuring that the remaining ones are sufficiently generic that an individual’s identity cannot be traced). Doing so would mean that the health information is no longer considered to be PHI, and therefore not protected by HIPAA. 

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/