Is accession number+service (CPT code)+date of service considered PHI (protected health information) under HIPAA?

I've answered this myself months after asking here based on HIPAA law (see page 66 - section 164.514).

To summarize: accession numbers (a unique identifying number) should be removed when de-identifying clinical data before being used for research purposes. However, using accession numbers (without connecting to detailed patient data) for routine business purposes (in say generating doctor's overdue worklist) over unencrypted emails is probably fine, but the law is murky enough that you may want to avoid doing anyway.

An accession number on its own is a meaningless 6-10 digit number tied to each service done at some specific hospital. Without having access to that hospital's specific database that ties accession numbers to a specific service done on a specific patient, you cannot identify a patient. You can easily argue in this sort of scenario, an accession # is not PHI and HIPAA specifically has an exception for experts determining that the risk that this number could be used to identify someone is negligible (as in this case).

However, if you are de-identifying clinical data (say an actual MRI scan or the detailed test outcome), it would be prudent to remove all accession numbers. This prevents someone from using the normal database system to see who is tied to an accession number, and then using the poorly de-identified data to get detailed records they couldn't otherwise get.