Quick summary
What PHI is: Any individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associates
Who it applies to: Healthcare providers, health plans, healthcare clearinghouses, and their business associates
Why it matters for marketing: Marketing tools that collect or transmit PHI without a BAA create HIPAA compliance exposure
Protected health information is the category of data that sits at the center of almost every HIPAA compliance question in healthcare marketing. Understanding what PHI is – and equally, what it isn’t – determines which tools you can use, which vendors need a BAA, and how your analytics and campaign measurement need to be configured.
This guide covers the definition of PHI, all 18 HIPAA identifiers with practical marketing examples, the difference between PHI and PII, what de-identification means and when it applies, and how PHI shows up in digital marketing and analytics contexts.
Disclaimer: This page is for informational purposes and does not constitute legal advice. HIPAA requirements vary based on your specific situation. Consult qualified healthcare privacy counsel for guidance specific to your organization.
Table of contents
- What Is protected health information?
- PHI vs. ePHI: What is the difference?
- The 18 HIPAA identifiers
- When does data become PHI?
- PHI in digital marketing and analytics
- What is not PHI?
- De-identification: How it works and when to use it
- How to handle PHI in healthcare marketing
- Talk to someone who understands healthcare analytics compliance
- Frequently asked questions
What Is protected health information?
PHI is any individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associates. Three components have to be present at once for information to qualify.
The three components of PHI:
| Component | What it means | Example |
|---|---|---|
| Health information | Data relating to a person’s past, present, or future physical or mental health; the provision of healthcare; or payment for healthcare | A diagnosis, a prescription, an appointment, an insurance claim |
| Individually identifiable | The information identifies a specific person, or there is a reasonable basis to believe it could be used to identify them | A name, an ID number, an IP address linked to a patient visit |
| Covered entity context | The information is held or transmitted by a covered entity (or its business associate) | A hospital, a health plan, a healthcare clearinghouse, or a vendor acting on their behalf |
Drop any one of those three, and the data likely isn’t PHI. A hospital’s HR department tracking an employee’s sick leave, for example, isn’t handling PHI – that information is held in the entity’s capacity as an employer, not as a healthcare provider.

What is the formal HHS definition of PHI?
In plain terms: if information connects a specific person to anything health-related, and your organization is a covered entity or business associate, that information is likely PHI.
For reference, HHS defines protected health information formally as “information, including demographic data, that relates to:the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”
PHI vs. PII: What is the difference?
What is personally identifiable information (PII)?
Personally identifiable information (PII) is any information that can be used to identify a specific individual – names, email addresses, phone numbers, IP addresses, device identifiers, and similar data. PII is not tied to any particular industry or regulation. It applies broadly across all sectors.
Unlike PHI, there is no single comprehensive federal law in the US that governs PII. Protections come from a patchwork of federal sector-specific laws and state laws, including those in California (CCPA/CPRA), Virginia, Colorado, and others.
What makes PHI different from PII?
PHI is a subset of PII – it’s PII that has been combined with health-related context, held by a covered entity. The key differences:
| PII | PHI | |
|---|---|---|
| Scope | Any data that identifies a person | Health information + identifier, held by a covered entity |
| Governing law | No single federal law; varies by state | HIPAA (federal) |
| Who it applies to | All organizations handling personal data | Healthcare providers, health plans, clearinghouses, and their business associates |
| Marketing implication | Governs general data collection and consent | Requires BAAs with vendors; specific safeguards; limits on use for marketing |
| Example | An email address in a retail CRM | That same email address linked to an appointment at a hospital |
Can the same data be both PII and PHI?
Yes, and often is. An IP address is PII everywhere. Captured by a hospital’s analytics tool during a visit to a patient portal or appointment page, that same IP address becomes PHI. Nothing about the data changed – only the context it’s sitting in.
That’s the detail that trips up teams moving from a non-healthcare background: information that’s routine in retail carries real HIPAA weight the moment it lands in a covered entity’s systems.
Read more: What is PII, non-PII, and personal data?
PHI vs. ePHI: What is the difference?
What is ePHI?
Electronic protected health information (ePHI) is any PHI that is created, stored, transmitted, or received in electronic form. It’s the same information as PHI – the “e” simply specifies the medium.
| PHI | ePHI | |
|---|---|---|
| Medium | Any form: paper, oral, electronic | Electronic only |
| Governing rule | HIPAA Privacy Rule | HIPAA Security Rule (in addition to Privacy Rule) |
| Examples | A paper patient record; a spoken diagnosis in a clinical setting | A digital patient record; an analytics event sent from a website; a form submission stored in a database |
| Safeguards required | Privacy Rule requirements | Both Privacy Rule and Security Rule requirements (encryption, access controls, audit logs) |
For marketing and analytics teams, almost everything you’re working with is ePHI, including:
- digital data generated through website interactions
- analytics platforms
- marketing automation tools
- CRM systems
That means the Security Rule’s technical safeguards – encryption, access controls, audit logs – apply to almost everything your team touches.
The 18 HIPAA identifiers
What are the 18 identifiers that make health information PHI?
The 18 identifiers below reflect the HIPAA Safe Harbor de-identification standard. It’s also possible to use the Expert Determination method. Under it, a qualified expert may conclude that certain information can be retained if the risk of re-identification is very small.
The question that matters for your team: does this identifier show up in your analytics data, your tracking setup, your CRM, or your campaign measurement?
| Identifier | Marketing context example |
|---|---|
| Names | Full name submitted in a patient intake form captured by analytics |
| Geographic data smaller than a state | ZIP code in a form field; city in analytics; precise geolocation from a mobile app |
| Dates (other than year) related to an individual | Appointment dates in URL parameters; date of birth in a registration form |
| Phone numbers | Contact number submitted on a healthcare landing page |
| Fax numbers | Less common in marketing, but present in some intake workflows |
| Email addresses | Emails collected via healthcare campaign lead forms; used in retargeting audiences |
| Social security numbers | Occasionally present in healthcare portal registration flows |
| Medical record numbers | May appear in patient portal URLs or API responses |
| Health plan beneficiary numbers | Present in portal authentication and insurance verification flows |
| Account numbers | Patient account identifiers in portal URLs or analytics custom dimensions |
| Certificate or license numbers | Less common in marketing contexts |
| Vehicle identifiers and serial numbers | Rare in marketing, but possible in mobile health app contexts |
| Device identifiers and serial numbers | Mobile device IDs used for cross-device tracking and advertising |
| Web URLs | Full page URLs containing health-related parameters (e.g., /schedule?condition=cardiology) |
| IP addresses | Captured by default by most analytics platforms; links users to health service visits |
| Biometric identifiers (fingerprints, voice prints) | Relevant for biometric authentication in patient portals |
| Full-face photographs | Patient photos in clinical portals |
| Any other unique identifying number or code | Custom user IDs, session tokens, cookie IDs linked to health activity |
Are all 18 identifiers always PHI?
No – and this is an important distinction. An email address in isolation is PII, not PHI. An email address in a covered entity’s database, linked to a patient’s health record, is PHI. A ZIP code alone is not PHI. A ZIP code in a covered entity’s analytics platform, associated with a visit to a cancer treatment page, may be PHI.
The identifier becomes PHI when you combine it with health information and held by a covered entity or business associate. Context determines classification.
When does data become PHI?
Data becomes PHI when three conditions align:
- It includes or can be linked to a person’s identity.
- It relates to health.
- It’s held by a covered entity or business associate.
Remove any one of those three conditions and the data may fall outside HIPAA’s definition of PHI.
Practical examples of when data does and doesn’t become PHI:
| Data | Context | PHI? | Why? |
|---|---|---|---|
Email address | In a retail company’s CRM | No | Not held by a covered entity |
| Email address | In a hospital’s marketing database, linked to a patient record | Yes | Covered entity + identifier + health context |
| IP address | On a general news website | No | No health context; not a covered entity |
| IP address | Captured by analytics on a hospital’s appointment scheduling page | Potentially yes | Covered entity + identifier + health-seeking behavior context |
| ZIP code | In a census database | No | Not individually identifiable on its own; not a covered entity |
| ZIP code | In a covered entity’s database, combined with a diagnosis | Yes | Identifier + health information + covered entity |
| Page URL /blog/what-is-diabetes | Viewed anonymously on an information site | No | Not individually identifiable |
| Page URL /portal/my-prescriptions | In a hospital’s authenticated analytics | Yes | Identifier (session) + health content + covered entity |
| Anonymous aggregate data (e.g., “3,400 users viewed this page”) | In any context | No | Not individually identifiable |
Does the user need to be logged in for data to be PHI?
Not necessarily. HHS’s 2022 guidance on tracking technologies clarified that PHI can arise even on unauthenticated pages when the combination of data – IP address, page content, referring URL – reveals health-related activity by an identifiable person. However, the June 2024 court ruling (discussed below) drew back some of that guidance specifically regarding IP addresses on unauthenticated pages.
PHI in digital marketing and analytics
Where does PHI appear in a typical healthcare marketing setup?
Healthcare marketing teams work with tools that weren’t designed with HIPAA in mind. Most standard analytics and advertising platforms collect data that becomes PHI in a healthcare context – often without anyone on the marketing team realizing it.
Common sources of PHI in healthcare marketing:
| Tool type | How PHI can enter | Risk level |
|---|---|---|
| Web analytics (e.g., Google Analytics) | Full page URLs including health parameters; IP addresses; session data on health pages | High |
| Advertising pixels (Meta, Google Ads) | URL data, user identifiers sent to ad platforms on health-related pages | High |
| Session recording tools | Screen captures in patient portals showing diagnoses, prescriptions, test results | High |
| CRM / marketing automation | Patient contact data linked to health conditions, appointment history, or treatment status | High |
| Email marketing platforms | Email addresses + campaign context (e.g., “Appointment Reminder – Oncology”) | Medium-High |
| Tag management (client-side) | Tags firing on post-login pages transmitting session data | High |
| A/B testing tools | Test variants on health intake forms may capture form field data | Medium |
| Heatmapping tools | Interaction data on health forms | Medium-High |
What is the 2024 court ruling on IP addresses and PHI?
In June 2024, a federal judge ruled in favor of the American Hospital Association (AHA), vacating the part of HHS’s December 2022 tracking technology bulletin that stated IP addresses on unauthenticated pages constitute PHI. The court found that HHS had overstepped its authority in that specific interpretation.
What the ruling changed – and what it didn’t:
| Area | Impact of ruling |
|---|---|
| IP addresses on unauthenticated pages | Ruling vacated the HHS position that these automatically constitute PHI |
| Patient portals and authenticated areas | Not affected – PHI requirements still apply fully |
| Other parts of the 2022 HHS bulletin | Still in effect – only the IP address/unauthenticated page section was vacated |
| BAA requirements for analytics vendors | Not changed – if your analytics tool processes any PHI, a BAA is still required |
| Overall HIPAA obligations | Unchanged – PHI definitions under the Privacy Rule remain the same |
The practical takeaway: the ruling reduced some of the uncertainty around unauthenticated marketing pages, but didn’t change the fundamental compliance picture for authenticated healthcare environments. Rather than relying on the boundaries of any particular ruling, implementing a HIPAA-compliant analytics setup is the more defensible approach.
Does using Google Analytics on a healthcare website violate HIPAA?
On patient portals, appointment schedulers, symptom checkers, and other pages where PHI is or could be present – yes, in most configurations. Google Analytics wasn’t built with healthcare or HIPAA in mind: it doesn’t offer a BAA for standard use, and its terms of service explicitly prohibit PHI.
When GA4 captures URLs with health-related parameters, or session data from authenticated areas, and sends that to Google’s servers without a BAA, that’s an impermissible disclosure of PHI. The tool simply wasn’t designed to handle this kind of data safely.
On general informational pages with no PHI and no health-related URL parameters, the risk is lower, but still remains. The 2024 court ruling only addressed unauthenticated pages and IP addresses. It didn’t touch the other ways general-purpose analytics tools can pick up health-related data.
Some teams work around this by removing identifiers and scrubbing URLs until GA4 no longer touches PHI. That reduces risk, but it also strips out the attribution, session data, and campaign insights that made the tool worth using. A platform built for healthcare from the start lets you keep that data instead of giving it up.
Read more: Is Google Analytics HIPAA-compliant?

HEALTHCARE WEBSITE TRACKING REPORT 2026
Are healthcare companies one audit away from a compliance crisis?
A research-backed analysis of tracking practices across 59 US healthcare websites – and what organizations should do about it.
What is not PHI?
What data is explicitly excluded from the PHI definition?
Not everything a healthcare organization holds is PHI. HIPAA carves out several specific categories:
| Excluded category | Why it’s excluded | Example |
|---|---|---|
| Employment records | Held by a covered entity in its capacity as an employer, not as a healthcare provider | An employee’s sick leave record maintained by hospital HR |
| Education records | Protected under FERPA rather than HIPAA | Student health records at a university |
| De-identified health information | Properly de-identified data is no longer individually identifiable | Aggregate website analytics with all 18 identifiers removed |
| Health information of deceased persons | HIPAA protections extend 50 years after death, but some exclusions apply | Historical records used in research after the 50-year period |
Can de-identified data be used for marketing?
Yes – properly de-identified data is no longer PHI under HIPAA and can be used without the standard HIPAA restrictions. This opens up options for analytics and research that would otherwise require full HIPAA safeguards. The catch is that according to the Safe Harbour method, genuine de-identification requires removing all 18 identifiers and confirming no residual re-identification risk. This is more complex than simply removing a name from a record.
Alternatively, HIPAA permits the expert determination method (a qualified expert concludes that the risk of re-identification is very small)
De-identification: How it works and when to use it
What does it mean to de-identify PHI?
De-identification means removing or transforming identifying elements from health data so that individuals cannot be identified. It can be done either from the data itself or in combination with other available information. Data that meets HIPAA’s de-identification standard is no longer PHI and is exempt from most HIPAA requirements.
There are two recognized methods under HIPAA:
| Method | How it works | Best for | Limitations |
|---|---|---|---|
| Safe Harbor | Remove all 18 specified identifiers from the dataset; confirm no other identifying information remains | Straightforward compliance; lower-risk data sharing | Removes granular data (dates, specific locations); reduces analytical value |
| Expert Determination | A qualified statistical expert assesses that the risk of re-identification is “very small”; documents the methodology | Research and analytics requiring more granular data (month-level dates, regional geography) | Requires specialist expertise; ongoing governance; more costly |
What does the Safe Harbor method require in practice?
Safe Harbor requires the removal of all 18 HIPAA identifiers from the dataset. For a marketing analytics context, that means removing details such as:
- Names
- Email addresses
- Phone numbers
- IP addresses
- Device identifiers
- Dates more specific than year
- Geographic data smaller than state level
- Any other identifier from the list
After removal, the covered entity must have “no actual knowledge” that the remaining data could be used to identify an individual.
What you lose with Safe Harbor:
- Individual-level user journeys
- Precise campaign attribution to specific patients
- Date-level behavioral analysis (only year-level data remains)
- Geographic analysis below state level
What remains possible:
- Aggregate campaign performance metrics
- Population-level health service usage trends
- Year-level cohort analysis
- State-level geographic reporting
What does Expert Determination allow?
Expert Determination is more flexible. A qualified expert applies statistical methods to confirm re-identification risk is “very small,” and can approve retaining more granular data like month-specific dates or regional geography. This is better suited to research, advanced analytics, or AI model training where Safe Harbor’s data removal would eliminate too much utility.
The expert’s methodology and findings must be documented and retained by the covered entity.
How to handle PHI in healthcare marketing
What do healthcare marketers need to do differently because of PHI?
If PHI touches your marketing stack, three things are non-negotiable:
- HIPAA-compliant infrastructure
- Documented safeguards
- A BAA with every vendor involved
In practice, that means several specific things:
1. Know which tools handle PHI
Before deploying any marketing or analytics tool on a patient-facing property, confirm whether PHI will pass through it. The answer determines whether you need a BAA and what configuration controls are required.
2. Get BAAs in place before data flows
A BAA must be signed before a vendor receives any PHI, including during trials or demos. No BAA means any PHI transmitted to that vendor is an impermissible disclosure.
3. Configure tools so they collect less, not more
Even with a compliant analytics platform and a BAA in place, configuration matters. Limiting the volume of PHI your analytics setup processes reduces your compliance burden under the Minimum Necessary Rule.
4. Get authorization before using PHI for marketing
Using PHI for marketing purposes – anything beyond essential healthcare communications – generally requires written patient authorization. Appointment reminders and treatment follow-ups fall under permitted communications. Promotional campaigns targeting patients based on their health conditions require explicit authorization.
5. Audit regularly, don’t assume
What data is actually flowing through your analytics and marketing tools? This is worth verifying rather than assuming. URL audit tools, tag checkers, and data export reviews regularly surface inadvertent PHI collection that wasn’t visible in the original tool configuration.

SUCCESS STORY
How Shepherd Center gained HIPAA compliance and full visibility into patient acquisition
Shepherd Center replaced Google Analytics with Piwik PRO to close compliance gaps and get a complete picture of patient acquisition – resulting in a 40% rise in online patient referrals and a 215% increase in page views.
Talk to someone who understands healthcare analytics compliance
PHI compliance in analytics is genuinely complex, and the right setup depends on your specific tools, patient-facing properties, and data flows. Whether you’re evaluating your current analytics setup, replacing a non-compliant tool, or figuring out what a BAA-backed implementation looks like for your organization, we’re here to help.
Piwik PRO is the only analytics platform built for healthcare from the ground up, not adapted to fit it later. You choose how granular your data collection is: sign a BAA and safely collect PHI or de-identify your data if that’s the better fit for your organization. Either way, you get a platform your marketing team can onboard onto quickly and run independently.
Frequently asked questions
What is the simplest definition of PHI?
PHI is health information that can identify a specific person, held by a healthcare organization or a vendor working on their behalf. If data connects a person to anything related to their health condition, treatment, or payment for healthcare – and your organization is a covered entity under HIPAA – that data is PHI.
Is an IP address always PHI in a healthcare context?
Not automatically. A June 2024 federal court ruling vacated HHS’s position that IP addresses on unauthenticated pages automatically constitute PHI. However, IP addresses in authenticated sessions, patient portals, or other areas where PHI is present are still treated as PHI. The ruling reduced ambiguity around unauthenticated marketing pages but didn’t change the underlying HIPAA framework.
What is the difference between PHI and ePHI?
PHI refers to protected health information in any form – paper, oral, or electronic. ePHI is the electronic subset: PHI that is created, stored, transmitted, or received digitally. For marketing and analytics teams, almost everything they work with is ePHI and subject to the HIPAA Security Rule’s technical safeguard requirements.
Does HIPAA apply to apps and mobile data?
Yes. Mobile health apps operated by covered entities or their business associates handle ePHI. This includes push notifications (which should not contain PHI in notification text), in-app analytics, and data stored on device. Mobile device identifiers (identifier 13 in the 18-identifier list) are specifically listed as a PHI category.
Can I use patient data for retargeting campaigns?
Not without patient authorization. Using PHI for marketing – defined under HIPAA as communications that encourage the purchase or use of a product or service – requires written patient authorization in most cases. Major advertising platforms (Meta, Google, LinkedIn) don’t sign BAAs, making them unsuitable for campaigns using PHI-based audiences.
What is the Minimum Necessary Rule and how does it apply to analytics?
The Minimum Necessary Rule requires covered entities to collect and use only the minimum amount of PHI needed to accomplish a stated purpose. For analytics, this means documenting why each PHI data point is collected, implementing technical controls to prevent collecting more than documented, and reviewing collection practices regularly. Inadvertent over-collection – even if accidental – can create compliance exposure.
Does de-identification eliminate all HIPAA obligations?
Yes, for the de-identified data itself. Properly de-identified data is no longer PHI and falls outside HIPAA’s Privacy, Security, and Breach Notification Rules. This enables analytics and research use cases that would otherwise require full safeguards. The caveat: de-identification must genuinely meet either Safe Harbor or Expert Determination standards – removing just names and obvious identifiers isn’t sufficient.
What happens when a business associate mishandles PHI?
Under HITECH (which amended HIPAA in 2009), business associates are directly liable for HIPAA provisions that apply to them – they can be investigated and fined by HHS OCR independently. A covered entity that has a BAA in place and the business associate then mishandles PHI in violation of the BAA may have reduced liability, but both parties are subject to the HIPAA framework.
Are wearable devices and health app data covered by HIPAA?
It depends. If the data is collected by a HIPAA-covered entity or its business associate as part of providing healthcare, it’s PHI. Data collected by a wellness app or wearable operated by a consumer-facing technology company – not a covered entity – may not be PHI under HIPAA, though it may fall under other privacy laws (FTC Act, state laws). The distinction matters for marketing teams working with patient engagement platforms.
