What is protected health information (PHI)? A guide for healthcare marketers

Written by

Published July 08, 2026

Quick summary

What PHI is: Any individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associates

Who it applies to: Healthcare providers, health plans, healthcare clearinghouses, and their business associates

Why it matters for marketing: Marketing tools that collect or transmit PHI without a BAA create HIPAA compliance exposure

Protected health information is the category of data that sits at the center of almost every HIPAA compliance question in healthcare marketing. Understanding what PHI is – and equally, what it isn’t – determines which tools you can use, which vendors need a BAA, and how your analytics and campaign measurement need to be configured.

This guide covers the definition of PHI, all 18 HIPAA identifiers with practical marketing examples, the difference between PHI and PII, what de-identification means and when it applies, and how PHI shows up in digital marketing and analytics contexts.

Disclaimer: This page is for informational purposes and does not constitute legal advice. HIPAA requirements vary based on your specific situation. Consult qualified healthcare privacy counsel for guidance specific to your organization.

What Is protected health information? 

PHI is any individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associates. Three components have to be present at once for information to qualify.

The three components of PHI:

ComponentWhat it meansExample
Health informationData relating to a person’s past, present, or future physical or mental health; the provision of healthcare; or payment for healthcareA diagnosis, a prescription, an appointment, an insurance claim
Individually identifiableThe information identifies a specific person, or there is a reasonable basis to believe it could be used to identify themA name, an ID number, an IP address linked to a patient visit
Covered entity contextThe information is held or transmitted by a covered entity (or its business associate)A hospital, a health plan, a healthcare clearinghouse, or a vendor acting on their behalf

Drop any one of those three, and the data likely isn’t PHI. A hospital’s HR department tracking an employee’s sick leave, for example, isn’t handling PHI – that information is held in the entity’s capacity as an employer, not as a healthcare provider.

What is the formal HHS definition of PHI?

In plain terms: if information connects a specific person to anything health-related, and your organization is a covered entity or business associate, that information is likely PHI.

For reference, HHS defines protected health information formally as “information, including demographic data, that relates to:the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

PHI vs. PII: What is the difference?

What is personally identifiable information (PII)?

Personally identifiable information (PII) is any information that can be used to identify a specific individual – names, email addresses, phone numbers, IP addresses, device identifiers, and similar data. PII is not tied to any particular industry or regulation. It applies broadly across all sectors.

Unlike PHI, there is no single comprehensive federal law in the US that governs PII. Protections come from a patchwork of federal sector-specific laws and state laws, including those in California (CCPA/CPRA), Virginia, Colorado, and others.

What makes PHI different from PII?

PHI is a subset of PII – it’s PII that has been combined with health-related context, held by a covered entity. The key differences:

PIIPHI
ScopeAny data that identifies a personHealth information + identifier, held by a covered entity
Governing lawNo single federal law; varies by stateHIPAA (federal)
Who it applies toAll organizations handling personal dataHealthcare providers, health plans, clearinghouses, and their business associates
Marketing implicationGoverns general data collection and consentRequires BAAs with vendors; specific safeguards; limits on use for marketing
ExampleAn email address in a retail CRMThat same email address linked to an appointment at a hospital

Can the same data be both PII and PHI?

Yes, and often is. An IP address is PII everywhere. Captured by a hospital’s analytics tool during a visit to a patient portal or appointment page, that same IP address becomes PHI. Nothing about the data changed – only the context it’s sitting in.

That’s the detail that trips up teams moving from a non-healthcare background: information that’s routine in retail carries real HIPAA weight the moment it lands in a covered entity’s systems.

PHI vs. ePHI: What is the difference?

What is ePHI?

Electronic protected health information (ePHI) is any PHI that is created, stored, transmitted, or received in electronic form. It’s the same information as PHI – the “e” simply specifies the medium.

PHIePHI
MediumAny form: paper, oral, electronicElectronic only
Governing ruleHIPAA Privacy RuleHIPAA Security Rule (in addition to Privacy Rule)
ExamplesA paper patient record; a spoken diagnosis in a clinical settingA digital patient record; an analytics event sent from a website; a form submission stored in a database
Safeguards requiredPrivacy Rule requirements
Both Privacy Rule and Security Rule requirements (encryption, access controls, audit logs)

For marketing and analytics teams, almost everything you’re working with is ePHI, including:

  • digital data generated through website interactions
  • analytics platforms
  • marketing automation tools
  • CRM systems

That means the Security Rule’s technical safeguards – encryption, access controls, audit logs – apply to almost everything your team touches.

The 18 HIPAA identifiers

What are the 18 identifiers that make health information PHI?

The 18 identifiers below reflect the HIPAA Safe Harbor de-identification standard. It’s also possible to use the Expert Determination method. Under it, a qualified expert may conclude that certain information can be retained if the risk of re-identification is very small.

The question that matters for your team: does this identifier show up in your analytics data, your tracking setup, your CRM, or your campaign measurement?

IdentifierMarketing context example
NamesFull name submitted in a patient intake form captured by analytics
Geographic data smaller than a stateZIP code in a form field; city in analytics; precise geolocation from a mobile app
Dates (other than year) related to an individualAppointment dates in URL parameters; date of birth in a registration form
Phone numbersContact number submitted on a healthcare landing page
Fax numbersLess common in marketing, but present in some intake workflows
Email addressesEmails collected via healthcare campaign lead forms; used in retargeting audiences
Social security numbersOccasionally present in healthcare portal registration flows
Medical record numbersMay appear in patient portal URLs or API responses
Health plan beneficiary numbersPresent in portal authentication and insurance verification flows
Account numbersPatient account identifiers in portal URLs or analytics custom dimensions
Certificate or license numbersLess common in marketing contexts
Vehicle identifiers and serial numbersRare in marketing, but possible in mobile health app contexts
Device identifiers and serial numbersMobile device IDs used for cross-device tracking and advertising
Web URLsFull page URLs containing health-related parameters (e.g., /schedule?condition=cardiology)
IP addressesCaptured by default by most analytics platforms; links users to health service visits
Biometric identifiers (fingerprints, voice prints)Relevant for biometric authentication in patient portals
Full-face photographsPatient photos in clinical portals
Any other unique identifying number or codeCustom user IDs, session tokens, cookie IDs linked to health activity

Are all 18 identifiers always PHI?

No – and this is an important distinction. An email address in isolation is PII, not PHI. An email address in a covered entity’s database, linked to a patient’s health record, is PHI. A ZIP code alone is not PHI. A ZIP code in a covered entity’s analytics platform, associated with a visit to a cancer treatment page, may be PHI.

The identifier becomes PHI when you combine it with health information and held by a covered entity or business associate. Context determines classification.

When does data become PHI?

Data becomes PHI when three conditions align:

  • It includes or can be linked to a person’s identity.
  • It relates to health.
  • It’s held by a covered entity or business associate.

Remove any one of those three conditions and the data may fall outside HIPAA’s definition of PHI.

Practical examples of when data does and doesn’t become PHI:

DataContextPHI?Why?

Email address

In a retail company’s CRM

No

Not held by a covered entity
Email address
In a hospital’s marketing database, linked to a patient record
Yes
Covered entity + identifier + health context
IP address
On a general news website

No

No health context; not a covered entity
IP address
Captured by analytics on a hospital’s appointment scheduling page
Potentially yes
Covered entity + identifier + health-seeking behavior context
ZIP code
In a census database

No

Not individually identifiable on its own; not a covered entity
ZIP code
In a covered entity’s database, combined with a diagnosis
Yes
Identifier + health information + covered entity
Page URL /blog/what-is-diabetes
Viewed anonymously on an information site

No

Not individually identifiable
Page URL /portal/my-prescriptions
In a hospital’s authenticated analytics
Yes
Identifier (session) + health content + covered entity
Anonymous aggregate data (e.g., “3,400 users viewed this page”)
In any context

No

Not individually identifiable

Does the user need to be logged in for data to be PHI?

Not necessarily. HHS’s 2022 guidance on tracking technologies clarified that PHI can arise even on unauthenticated pages when the combination of data – IP address, page content, referring URL – reveals health-related activity by an identifiable person. However, the June 2024 court ruling (discussed below) drew back some of that guidance specifically regarding IP addresses on unauthenticated pages.

PHI in digital marketing and analytics

Where does PHI appear in a typical healthcare marketing setup?

Healthcare marketing teams work with tools that weren’t designed with HIPAA in mind. Most standard analytics and advertising platforms collect data that becomes PHI in a healthcare context – often without anyone on the marketing team realizing it.

Common sources of PHI in healthcare marketing:

Tool typeHow PHI can enterRisk level
Web analytics (e.g., Google Analytics)Full page URLs including health parameters; IP addresses; session data on health pages High
Advertising pixels (Meta, Google Ads)URL data, user identifiers sent to ad platforms on health-related pagesHigh
Session recording toolsScreen captures in patient portals showing diagnoses, prescriptions, test resultsHigh
CRM / marketing automationPatient contact data linked to health conditions, appointment history, or treatment statusHigh
Email marketing platformsEmail addresses + campaign context (e.g., “Appointment Reminder – Oncology”)
Medium-High
Tag management (client-side)Tags firing on post-login pages transmitting session dataHigh
A/B testing toolsTest variants on health intake forms may capture form field dataMedium
Heatmapping toolsInteraction data on health forms
Medium-High

What is the 2024 court ruling on IP addresses and PHI?

In June 2024, a federal judge ruled in favor of the American Hospital Association (AHA), vacating the part of HHS’s December 2022 tracking technology bulletin that stated IP addresses on unauthenticated pages constitute PHI. The court found that HHS had overstepped its authority in that specific interpretation.

What the ruling changed – and what it didn’t:

AreaImpact of ruling
IP addresses on unauthenticated pagesRuling vacated the HHS position that these automatically constitute PHI
Patient portals and authenticated areasNot affected – PHI requirements still apply fully
Other parts of the 2022 HHS bulletinStill in effect – only the IP address/unauthenticated page section was vacated
BAA requirements for analytics vendorsNot changed – if your analytics tool processes any PHI, a BAA is still required
Overall HIPAA obligationsUnchanged – PHI definitions under the Privacy Rule remain the same

The practical takeaway: the ruling reduced some of the uncertainty around unauthenticated marketing pages, but didn’t change the fundamental compliance picture for authenticated healthcare environments. Rather than relying on the boundaries of any particular ruling, implementing a HIPAA-compliant analytics setup is the more defensible approach.

Does using Google Analytics on a healthcare website violate HIPAA?

On patient portals, appointment schedulers, symptom checkers, and other pages where PHI is or could be present – yes, in most configurations. Google Analytics wasn’t built with healthcare or HIPAA in mind: it doesn’t offer a BAA for standard use, and its terms of service explicitly prohibit PHI.

When GA4 captures URLs with health-related parameters, or session data from authenticated areas, and sends that to Google’s servers without a BAA, that’s an impermissible disclosure of PHI. The tool simply wasn’t designed to handle this kind of data safely.

On general informational pages with no PHI and no health-related URL parameters, the risk is lower, but still remains. The 2024 court ruling only addressed unauthenticated pages and IP addresses. It didn’t touch the other ways general-purpose analytics tools can pick up health-related data.

Some teams work around this by removing identifiers and scrubbing URLs until GA4 no longer touches PHI. That reduces risk, but it also strips out the attribution, session data, and campaign insights that made the tool worth using. A platform built for healthcare from the start lets you keep that data instead of giving it up.

HEALTHCARE WEBSITE TRACKING REPORT 2026

Are healthcare companies one audit away from a compliance crisis?

A research-backed analysis of tracking practices across 59 US healthcare websites – and what organizations should do about it.

What is not PHI?

What data is explicitly excluded from the PHI definition?

Not everything a healthcare organization holds is PHI. HIPAA carves out several specific categories:

Excluded categoryWhy it’s excludedExample
Employment recordsHeld by a covered entity in its capacity as an employer, not as a healthcare providerAn employee’s sick leave record maintained by hospital HR
Education recordsProtected under FERPA rather than HIPAAStudent health records at a university
De-identified health informationProperly de-identified data is no longer individually identifiableAggregate website analytics with all 18 identifiers removed
Health information of deceased personsHIPAA protections extend 50 years after death, but some exclusions applyHistorical records used in research after the 50-year period

Can de-identified data be used for marketing?

Yes – properly de-identified data is no longer PHI under HIPAA and can be used without the standard HIPAA restrictions. This opens up options for analytics and research that would otherwise require full HIPAA safeguards. The catch is that according to the Safe Harbour method, genuine de-identification requires removing all 18 identifiers and confirming no residual re-identification risk. This is more complex than simply removing a name from a record.

Alternatively, HIPAA permits the expert determination method (a qualified expert concludes that the risk of re-identification is very small)

De-identification: How it works and when to use it

What does it mean to de-identify PHI?

De-identification means removing or transforming identifying elements from health data so that individuals cannot be identified. It can be done either from the data itself or in combination with other available information. Data that meets HIPAA’s de-identification standard is no longer PHI and is exempt from most HIPAA requirements.

There are two recognized methods under HIPAA:

MethodHow it worksBest forLimitations
Safe HarborRemove all 18 specified identifiers from the dataset; confirm no other identifying information remainsStraightforward compliance; lower-risk data sharingRemoves granular data (dates, specific locations); reduces analytical value
Expert DeterminationA qualified statistical expert assesses that the risk of re-identification is “very small”; documents the methodologyResearch and analytics requiring more granular data (month-level dates, regional geography)Requires specialist expertise; ongoing governance; more costly

What does the Safe Harbor method require in practice?

Safe Harbor requires the removal of all 18 HIPAA identifiers from the dataset. For a marketing analytics context, that means removing details such as:

  • Names
  • Email addresses
  • Phone numbers
  • IP addresses
  • Device identifiers
  • Dates more specific than year
  • Geographic data smaller than state level
  • Any other identifier from the list

After removal, the covered entity must have “no actual knowledge” that the remaining data could be used to identify an individual.

What you lose with Safe Harbor:

  • Individual-level user journeys
  • Precise campaign attribution to specific patients
  • Date-level behavioral analysis (only year-level data remains)
  • Geographic analysis below state level

What remains possible:

  • Aggregate campaign performance metrics
  • Population-level health service usage trends
  • Year-level cohort analysis
  • State-level geographic reporting

What does Expert Determination allow?

Expert Determination is more flexible. A qualified expert applies statistical methods to confirm re-identification risk is “very small,” and can approve retaining more granular data like month-specific dates or regional geography. This is better suited to research, advanced analytics, or AI model training where Safe Harbor’s data removal would eliminate too much utility.

The expert’s methodology and findings must be documented and retained by the covered entity.

How to handle PHI in healthcare marketing

What do healthcare marketers need to do differently because of PHI?

If PHI touches your marketing stack, three things are non-negotiable:

  • HIPAA-compliant infrastructure
  • Documented safeguards
  • A BAA with every vendor involved

In practice, that means several specific things:

1. Know which tools handle PHI
Before deploying any marketing or analytics tool on a patient-facing property, confirm whether PHI will pass through it. The answer determines whether you need a BAA and what configuration controls are required.

2. Get BAAs in place before data flows
A BAA must be signed before a vendor receives any PHI, including during trials or demos. No BAA means any PHI transmitted to that vendor is an impermissible disclosure.

3. Configure tools so they collect less, not more
Even with a compliant analytics platform and a BAA in place, configuration matters. Limiting the volume of PHI your analytics setup processes reduces your compliance burden under the Minimum Necessary Rule.

4. Get authorization before using PHI for marketing
Using PHI for marketing purposes – anything beyond essential healthcare communications – generally requires written patient authorization. Appointment reminders and treatment follow-ups fall under permitted communications. Promotional campaigns targeting patients based on their health conditions require explicit authorization.

5. Audit regularly, don’t assume
What data is actually flowing through your analytics and marketing tools? This is worth verifying rather than assuming. URL audit tools, tag checkers, and data export reviews regularly surface inadvertent PHI collection that wasn’t visible in the original tool configuration.

SUCCESS STORY

How Shepherd Center gained HIPAA compliance and full visibility into patient acquisition

Shepherd Center replaced Google Analytics with Piwik PRO to close compliance gaps and get a complete picture of patient acquisition – resulting in a 40% rise in online patient referrals and a 215% increase in page views.

Talk to someone who understands healthcare analytics compliance

PHI compliance in analytics is genuinely complex, and the right setup depends on your specific tools, patient-facing properties, and data flows. Whether you’re evaluating your current analytics setup, replacing a non-compliant tool, or figuring out what a BAA-backed implementation looks like for your organization, we’re here to help.

Piwik PRO is the only analytics platform built for healthcare from the ground up, not adapted to fit it later. You choose how granular your data collection is: sign a BAA and safely collect PHI or de-identify your data if that’s the better fit for your organization. Either way, you get a platform your marketing team can onboard onto quickly and run independently.


Frequently asked questions

What is the simplest definition of PHI?
PHI is health information that can identify a specific person, held by a healthcare organization or a vendor working on their behalf. If data connects a person to anything related to their health condition, treatment, or payment for healthcare – and your organization is a covered entity under HIPAA – that data is PHI.

Is an IP address always PHI in a healthcare context?
Not automatically. A June 2024 federal court ruling vacated HHS’s position that IP addresses on unauthenticated pages automatically constitute PHI. However, IP addresses in authenticated sessions, patient portals, or other areas where PHI is present are still treated as PHI. The ruling reduced ambiguity around unauthenticated marketing pages but didn’t change the underlying HIPAA framework.

What is the difference between PHI and ePHI?
PHI refers to protected health information in any form – paper, oral, or electronic. ePHI is the electronic subset: PHI that is created, stored, transmitted, or received digitally. For marketing and analytics teams, almost everything they work with is ePHI and subject to the HIPAA Security Rule’s technical safeguard requirements.

Does HIPAA apply to apps and mobile data?
Yes. Mobile health apps operated by covered entities or their business associates handle ePHI. This includes push notifications (which should not contain PHI in notification text), in-app analytics, and data stored on device. Mobile device identifiers (identifier 13 in the 18-identifier list) are specifically listed as a PHI category.

Can I use patient data for retargeting campaigns?
Not without patient authorization. Using PHI for marketing – defined under HIPAA as communications that encourage the purchase or use of a product or service – requires written patient authorization in most cases. Major advertising platforms (Meta, Google, LinkedIn) don’t sign BAAs, making them unsuitable for campaigns using PHI-based audiences.

What is the Minimum Necessary Rule and how does it apply to analytics?
The Minimum Necessary Rule requires covered entities to collect and use only the minimum amount of PHI needed to accomplish a stated purpose. For analytics, this means documenting why each PHI data point is collected, implementing technical controls to prevent collecting more than documented, and reviewing collection practices regularly. Inadvertent over-collection – even if accidental – can create compliance exposure.

Does de-identification eliminate all HIPAA obligations?
Yes, for the de-identified data itself. Properly de-identified data is no longer PHI and falls outside HIPAA’s Privacy, Security, and Breach Notification Rules. This enables analytics and research use cases that would otherwise require full safeguards. The caveat: de-identification must genuinely meet either Safe Harbor or Expert Determination standards – removing just names and obvious identifiers isn’t sufficient.

What happens when a business associate mishandles PHI?
Under HITECH (which amended HIPAA in 2009), business associates are directly liable for HIPAA provisions that apply to them – they can be investigated and fined by HHS OCR independently. A covered entity that has a BAA in place and the business associate then mishandles PHI in violation of the BAA may have reduced liability, but both parties are subject to the HIPAA framework.

Are wearable devices and health app data covered by HIPAA?
It depends. If the data is collected by a HIPAA-covered entity or its business associate as part of providing healthcare, it’s PHI. Data collected by a wellness app or wearable operated by a consumer-facing technology company – not a covered entity – may not be PHI under HIPAA, though it may fall under other privacy laws (FTC Act, state laws). The distinction matters for marketing teams working with patient engagement platforms.