What is a HIPAA Identifier and How is it Used?

“Identify theft is not a joke, Jim. Millions of families suffer every year.” – Dwight Schrute. Remember this iconic line from The Office? While the TV show meant to ridicule his social awkwardness, this statement is very true in real life. 

Patient health information is valuable in the black market and can be used to extract information on the individual it belongs to. This has significantly increased data theft cases in the medical industry – making it the top target for breaches.

To curb this, the Health Insurance Portability and Accountability Act (HIPAA) laid down guidelines around specific attributes of patient data that can be used to identify an individual, known as HIPAA identifiers.

Keep reading to learn what a HIPAA identifier is, the 18 HIPAA identifiers, and the rules around it.

What are the HIPAA identifiers?

HIPAA identifiers refer to specific attributes of patient data that can be used to identify an individual. Healthcare organizations or service providers use, create, or disclose these identifiers during the course of treatment. They may contain direct or quasi-identifiers and can exist in electronic format, on paper, or another medium.

Passports or social security numbers are direct identifiers these can be used to identify a person directly, and no two individuals share the same direct identifier. Race, gender, or name are examples of quasi-identifiers combining two or more of these can be used to identify an individual.

It is important to understand the distinction between PII and PHI. While HIPAA identifiers overlap with personally identifiable information (PII), HIPAA specifically regulates Protected Health Information (PHI) not PII in general. PHI is created when any of the 18 HIPAA identifiers are linked to an individual’s health information, such as a physical or mental health condition or a healthcare transaction. HIPAA does not govern all PII only information that meets this specific threshold.

If you are a HIPAA covered entity (CE) or Business Associate (BA), ensuring the security and privacy of PHI is a non-negotiable compliance obligation.

Here’s a tool to determine whether you’re a covered entity:

HIPAA regulations include de-identification standards that require removing or coding identifiers so individuals cannot be re-identified. HIPAA certification has additional standards to protect PII from re-identification. If a code replaces an identifier, it cannot be derived from information related to the individual. It is also not permissible to disclose the method used to obtain the codes. For example, you cannot use the initials of a person’s name to code their data since the initials are directly obtained from the name.

List of HIPAA identifiers

There are a total of 18 identifiers in HIPAA. These are: 

1. ​Name
2. Geographical location: This includes all geographic subdivisions smaller than a State. Includes street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code are an exception as per the data from the Bureau of the Census:

• The geographic unit contains more than 20,000 residents when you combine the same three initial digits. 
• When the initial three digits of a zip code for such geographic units that contain 20,000 or fewer residents change to 000. 

3. Date: Includes all elements of date except the year related to an individual. Includes 

• Birth date
• Admission date
• Discharge date
• Date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

4. Telephone numbers 
5. Fax numbers
6. Electronic mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers. Includes license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full-face photographic images and any comparable images and
18. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c)​

HIPAA identifier under the privacy rule

HIPAA identifiers include sensitive information that can be used to identify a person. However, protecting these identifiers further branches out into privacy and security rules. Primarily, the Privacy Rule focuses on the protection of all forms of Protected Health Information (PHI)—electronic, paper-based, or verbal—while also setting standards for the use and disclosure of the PHI.

HIPAA identifiers under the privacy rule protect individuals’ medical records and other personal health information without disrupting the flow of critical information needed to provide high standards of care. 

Here are HIPAA Privacy Rules outlining patient rights concerning their PHI:

• Notice of Privacy Practices (NPP): Patients must receive an NPP upon admission, in a way that’s easy to understand. The NPP explains how PHI may be used and disclosed, clearly outlines patient rights including how to file complaints, and details the permitted and prohibited uses of PHI covered by the entity.
• Ability to request medical records: Patients have the right to access their medical records upon request by completing an authorization form. This right is subject to identity verification and limited exceptions for instance, where access may be restricted by a healthcare provider for specific clinical or legal reasons.
• Requesting Amendments to medical records: The HIPAA Privacy Rule also grants patients the right to request corrections of any inaccuracies. 
• Parental access to a minor’s medical records: Generally, parents or legal guardians can access the medical records of minors. However, there are specific circumstances where this access is restricted, such as when a minor consents to treatment that doesn’t require parental approval, or a court mandates care.

HIPAA identifiers under the security rule

When it comes to security rules, there is a bigger focus on the protection and administration of information in terms of digital and physical security measures. It primarily applies to electronic Protected Health Information (ePHI), setting standards for securing ePHI created, received, used, or maintained by an entity.

The aim is to protect the confidentiality, integrity, and availability of ePHI through technical, physical, and administrative safeguards.

Here’s what each of these safeguards entails:

• Confidentiality: Ensures PHI is accessed only by authorized individuals and not disclosed improperly
• Integrity: Ensures PHI is not altered or destroyed in an unauthorized manner
• Availability: Ensures PHI is accessible to authorized users when needed for care or operations.

What is not a HIPAA identifier?

De-identified data or health information that cannot be used to identify an individual or provide a reasonable base to identify them is not a HIPAA identifier. 

Health information that does not fall within the 18 identifiers and has a very low chance (as determined by an expert using a statistical or scientific method) of being used individually or in combination with others to identify a person is considered de-identified data. 

HIPAA laws do not apply to de-identified data. 

Uses of HIPAA identifier

HIPAA identifiers play a crucial role in the healthcare business. Workers need easy access to these to offer quality care services. 

In a bid to balance out patient rights and to enable efficiency for covered entities, HIPAA compliance details some circumstances when it is permissible to use and disclose PHI without patient authorization. These include case when you:

1. Conduct quality assessment and improvement activities
2. Develop clinical guidelines
3. Conduct patient safety activities as per applicable regulations
4. Conduct population-based activities to improve health or reduce healthcare cost
5. Develop protocols
6. Conduct case management and care coordination 
7. Contact healthcare providers and patients to enquire about treatment alternatives
8. Review qualifications of health care professionals
9. Evaluate the performance of healthcare providers or health plans 
10. Conduct training programs or credentialing activities
11. Support fraud and abuse detection and compliance programs

Conclusion

Remember the line from The Office? If you own a healthcare business or provide service to one, identity theft doesn’t just make families suffer. It makes them sue.

Thankfully, there is a way to prevent this mess in the first place. The Sprinto solution puts rules and controls in your system to secure PII to allow access only to authorized people. It alerts you when someone takes an action that can land you in legal trouble. Sprinto also monitors the system for risky behavior that protects your PII as well as employee data.

Talk to us to know more about how you can secure your data and avoid non-compliance. 

FAQs 

What is considered a patient identifier?

Data such as name, address, birth date, social security number, and more that can be used to identify a patient is called a patient identifier. 

What are the two most important patient identifiers?

Two main patient identifiers recommended to be used for every interaction include the full name and date of birth or medical identification number.