PHI vs PII in HIPAA: Healthcare marketing compliance guide

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.

While personally identifiable information (PII) is a catch-all term for any information that can be associated with an individual, protected health information (PHI) applies specifically to HIPAA-covered entities that handle identifiable patient information.

Healthcare organizations handling patient data must distinguish between PII and PHI to maintain HIPAA compliance. This distinction directly impacts your analytics setup, marketing campaigns, and vendor relationships. This guide explains the practical differences and compliance requirements for healthcare marketing.

PHI vs PII

What is personally identifiable information (PII)

Personally identifiable information (PII) includes any information that identifies, links, or relates to an individual – from names and addresses to device IDs and cookies. The definition isn’t tied to a specific context – medical, educational, employment and financial information are all PII. 

However, the distinction between PII and other types of information is not always clear. As the US General Services Administration stresses, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.

US government agencies and non-governmental organizations often reference PII. Currently, despite ongoing discussions and proposals, there is no comprehensive federal legislation in the US that protects PII. Various state laws have been enacted to address data privacy, such as those in Delaware, Iowa, Maryland, and Tennessee, which are taking effect in 2025. 

For healthcare marketers, PII becomes relevant when combined with health-related context. A visitor’s IP address on your homepage is PII; that same IP address on your ‘Schedule cancer treatment’ page may be PHI.

What is protected health information (PHI)

Protected health information (PHI) is a subset of PII that refers explicitly to information processed by HIPAA-covered entities.

PHI is any patient data that includes one of 18 HIPAA identifiers (including names, addresses, dates, device IDs, IP addresses, and URLs). When health information combines with personal identifiers, it becomes PHI and triggers HIPAA requirements.

As a result, not all health information acquired by organizations constitutes PHI. For example, phone numbers and residential addresses alone are not PHI. However, if this data is connected to details about a health condition, treatment plan, or other specific health information, it would transform from PII to PHI.

HHS’s December 2022 bulletin initially stated that IP addresses combined with health-related page visits constitute PHI, even without authenticated sessions. The March 2024 update attempted to clarify this using “user intent” standards (job postings = non-PHI vs. cancer care pages = potential PHI), but implementation remained impractical.

In June 2024, a judge ruled that HHS had overstepped its authority by expanding the definition of PHI to include IP addresses associated with website visits. HHS declined to appeal. However, this ruling only addresses IP addresses on unauthenticated pages – other parts of the guidance remain in effect, including requirements for patient portals and authenticated pages.

Practical takeaway: Rather than relying on gray-area interpretations, healthcare organizations should implement HIPAA-compliant analytics that can securely handle PHI.

Penalties for PHI breaches

The HIPAA Security Rule strictly regulates breaches of PHI. HIPAA penalties are primarily financial and can be applied to healthcare providers, health plans, healthcare clearinghouses, and all other health organizations and business associates who have violated HIPAA rules.

Violations trigger four tiers of penalties based on culpability, ranging from $100 to $25,000 per violation, with criminal penalties including incarceration for deliberate breaches.

Covered entities must also follow breach notification requirements, which include:

• Notify HHS and state agencies within 60 days
• Notify affected individuals in writing
• If the breach impacts more than 500 residents, notify local media
• Post breach information on your website homepage for 90 days

How to protect PHI in analytics

Securing PHI in your analytics setup requires an approach covering legal agreements, technical safeguards, and vendor partnerships.

1. Legal framework

• Sign business associate agreements (BAAs) with every vendor processing PHI
• Conduct risk analyses for all analytics and marketing platforms
• Implement breach notification procedures

2. Technical safeguards

• Deploy administrative safeguards (policies, training, incident response)
• Implement physical safeguards (facility access, device security, media disposal)
• Apply technical safeguards (encryption, access controls, audit logs)

3. Vendor selection

• Choose HIPAA-compliant platforms that sign BAAs
• Verify the vendor’s privacy-by-design approach
• If BAAs are unavailable, de-identify PHI using Safe Harbor or Expert Determination methods

It’s important to think through both the legal aspect of data collection in terms of what legal agreements need to be in place with vendors to be in compliance with HIPAA, and the technical aspect of data collection – what data can be stored and where, as well as what data needs to be anonymized prior to storage. I highly recommend using server-side tagging on your website if you’re running digital marketing campaigns that send users to your site. Server-side tagging allows you to scrub PHI/PII from any user data ingested before sending that data back to the vendor.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

HIPAA marketing compliance: Best practices

Data collected from marketing pages and used in retargeting campaigns may constitute PHI. Aside from the 18 types of HIPAA identifiers, including names, addresses, and medical records, user IDs and IPs used for retargeting can easily become PHI.

Before launching HIPAA-compliant marketing campaigns, ensure you have explicit written authorization from patients to use their PHI for marketing purposes. This doesn’t apply to essential healthcare communications (appointment reminders, treatment options).

Some popular analytics platforms, including Google Analytics 4, don’t permit the use of PHI in their products. These platforms don’t offer BAAs and are not configured to support HIPAA compliance out of the box. Your safest choice would be to switch to a HIPAA-compliant analytics platform that signs a BAA and provides safeguards to protect PHI during data collection, processing, and transmission. 

Building a HIPAA-compliant marketing stack

Create a marketing technology ecosystem that protects patient data while enabling personalization and campaign optimization through strategic platform selection and technical controls.

Data infrastructure:

• Use HIPAA-compliant CDPs to centralize first-party data across touchpoints
• Implement consent management platforms for preference tracking
• Deploy role-based access controls to limit PHI exposure
• Establish automated PHI retention and deletion policies

Patient communication:

• Communicate data collection practices transparently
• Explain how PHI sharing benefits the patient experience
• Maintain audit trails for all data access and changes

Technical implementation:

• Implement tag management with PHI filtering capabilities
• Use server-side tagging to scrub PHI before transmitting it to the vendor

Final thoughts

Healthcare organizations face a choice: invest in HIPAA-compliant infrastructure or implement complex workarounds with mainstream platforms. A first-party data strategy built on BAA-supported vendors reduces compliance risk while improving patient trust and marketing performance.

Frequently Asked Questions: PHI, PII, and HIPAA marketing

What’s the difference between PII and PHI?

Personally identifiable information (PII) is any data that identifies an individual – such as names, addresses, email addresses, and device IDs – and applies across all industries. Protected health information (PHI) is health information combined with HIPAA identifiers, applicable only to HIPAA-covered entities. Example: An email address is PII; that email linked to a patient’s appointment is PHI.

Do I need a BAA for Google Analytics?

Yes, if you’re sending PHI to Google Analytics, you need a business associate agreement (BAA). Google doesn’t offer BAAs for GA4, making it non-compliant for PHI. Your options include stripping all PHI before it reaches GA4 (a complex and risky approach), using only de-identified data, or switching to HIPAA-compliant platforms like Piwik PRO, Adobe Customer Journey Analytics, or Amplitude.

Can I use retargeting with PHI?

Retargeting with PHI requires written patient authorization and a BAA with your advertising platform. Major platforms (Meta, Google, LinkedIn Ads) don’t offer BAAs. Healthcare organizations should use de-identified audiences, contextual targeting, or HIPAA-compliant alternatives instead.

What happens if I accidentally send PHI to a vendor without a BAA?

This constitutes a HIPAA breach, requiring notification to the HHS within 60 days and written notice to the affected individuals. Breaches affecting more than 500 people require media notification. Penalties range from $100 to $25,000 per violation, with potential criminal charges. Implement server-side tagging and choose BAA-supported vendors to prevent accidental disclosures.