If you're building or scaling a HIPAA-regulated SaaS product, one of the first, and most important things you need to do is identify exactly what Protected Health Information (PHI) your system touches.
It’s not just about medical records. HIPAA defines 18 specific identifiers that, when tied to health-related data, constitute PHI. Understanding this list is crucial for your architecture, compliance planning, vendor selection, and product features.
What Is PHI?
Protected Health Information (PHI) is any health information that can be tied to an individual. That includes diagnoses, treatment data, test results, insurance information, and more, but only when linked to an individual’s identity.
So, a blood pressure reading alone? Not PHI.
A blood pressure reading tied to a name or email address? PHI.
The 18 HIPAA Identifiers of PHI
Below is the official list of identifiers that convert otherwise general health data into regulated PHI when linked to a person:
|
#
|
Identifier Type
|
Example
|
|
1
|
Names
|
Jane Doe
|
|
2
|
Geographic subdivisions smaller than a state
|
123 Main Street, ZIP 90210
|
|
3
|
All elements of dates (except year) for birth, admission, discharge, death
|
07/02/2025
|
|
4
|
Phone numbers
|
(555) 123-4567
|
|
5
|
Fax numbers
|
(555) 987-6543
|
|
6
|
Email addresses
|
jane.doe@example.com
|
|
7
|
Social Security numbers
|
123-45-6789
|
|
8
|
Medical record numbers
|
MRN123456
|
|
9
|
Health plan beneficiary numbers
|
Aetna ID #00112233
|
|
10
|
Account numbers
|
Patient billing account 8888
|
|
11
|
Certificate/license numbers
|
Therapist License #CA12345
|
|
12
|
Vehicle identifiers and serial numbers, including license plate numbers
|
Toyota Camry, Plate ABC123
|
|
13
|
Device identifiers and serial numbers
|
Fitbit ID #90210XYZ
|
|
14
|
Web URLs
|
www.patient-portal.com/user/janedoe
|
|
15
|
IP address numbers
|
192.168.1.1 (if linked to patient interaction)
|
|
16
|
Biometric identifiers (e.g., finger, voice prints)
|
Fingerprint used to access mobile app
|
|
17
|
Full face photos and comparable images
|
Uploaded patient selfie for telehealth
|
|
18
|
Any other unique identifying number, characteristic, or code
|
QR code tied to patient record
|
Source: U.S. Department of Health & Human Services (45 CFR § 164.514(b)(2))
What SaaS Startups Should Do
1. Create a PHI Inventory
Make a spreadsheet or database that lists every user data element your system collects or stores. Tag each one that falls into one of the 18 categories.
2. Consider Hidden Sources
- Metadata (like IPs, device IDs)
- Uploads (photos, PDFs)
- Support tickets (users may share PHI here)
3. Think Beyond Your App
You may expose PHI in:
- Analytics tools
- Logging platforms
- Customer support systems
- Third-party integrations (Zapier, Slack, etc.)
4. Document Everything
Every PHI interaction should be logged and justified. This helps with audits, risk assessments, and your HIPAA documentation.
Common Startup Mistakes
- Assuming email isn’t PHI: If you collect email and discuss health services, it’s PHI.
- Using non-HIPAA analytics or email tools: Many SaaS tools are not HIPAA-compliant and will not sign a BAA.
- Forgetting dev/test environments: PHI often leaks into staging data or QA systems.
Final Thought: HIPAA is About the Data
Too many startups think HIPAA is just a legal checkbox or hosting choice. In reality, HIPAA compliance starts with understanding what you're protecting, and that begins with the 18 identifiers above.
If you’re unsure whether a data point qualifies as PHI, assume it does until you can confidently rule it out.
Need Help? Security Ideals Has You Covered
At Security Ideals, we specialize in helping healthcare SaaS startups navigate HIPAA compliance from day one. Whether you're just getting started or preparing for enterprise sales, we offer:
- PHI Mapping + Data Flow Diagrams
- HIPAA Security and Privacy Policies
- Risk assessment
- Incident Response Training
- Vendor evaluations
- Pre-audit compliance checks
- Application penetration testing
- And Much More
We offer packages and services for every stage and every budget, from lean startups to scaling growth. If you're not sure where to start, let’s talk. We’ll help you move forward with clarity and confidence.
Comments