Back to blog

PHI and PII: How they impact HIPAA compliance and your marketing strategy

, ,

Written by Aleksandra Szczepańska, Małgorzata Poddębniak

Published May 02, 2025

PHI and PII

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.

Webinar on-demand

A practical guide to digital analytics and advertising under HIPAA

Watch the webinar

Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information.

Keeping HIPAA compliant and protecting patient information requires healthcare organizations to understand the differences between PII and PHI. Especially if they want to use such data to promote their services or improve the digital customer experience.

This blog post explains what differentiates PHI from PII and the key identifiers that change health information into PHI under HIPAA. You will also learn how your organization can protect PHI and run compliant marketing activities.

PHI vs PII

PII Defined

PII stands for personally identifiable information, an American legal term for any information that identifies, links, or relates to a person. The definition of PII can vary depending on the context, such as specific federal or state laws or industry regulations.

Generally, PII refers to:

  • Full name
  • Home address
  • Email address
  • Social security number
  • Passport number
  • Driver’s license number
  • Credit card number
  • Date of birth
  • Telephone number
  • Owned properties, e.g., vehicle identification number (VIN)
  • Login details
  • Processor or device serial number
  • Media access control (MAC)
  • Internet Protocol (IP) address
  • Device IDs
  • Cookies

US government agencies and non-governmental organizations often reference PII. Currently, despite ongoing discussions and proposals, there is no comprehensive federal legislation protecting personally identifiable information (PII) in the United States. Various state laws have been enacted to address data privacy, such as those in Delaware, Iowa, Maryland, and Tennessee, which are taking effect in 2025. Also, there are specific federal regulations and laws, like the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), that focus on restricting the sale of sensitive data to certain foreign entities.

The National Institute of Standards and Technology (NIST) provides guidelines on the concept of PII, though they are not legally binding unless specifically referenced in a regulation.

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Medical, educational, employment, and financial information all fall under PII. However, the line between PII and other kinds of information is vague. As the US General Services Administration stresses, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

What is PHI in healthcare?

Healthcare organizations deal with sensitive information concerning people’s health. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).

The definition of protected health information is broad. PHI and electronically protected health information (ePHI) mean any identifiable data about the patient, including name, address, date of birth, SSN, device identifiers, email addresses, biometrics, lab or imaging results, medical history, and payment information.

Thus, PHI is a subset of PII that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.

What are HIPAA-covered entities?

Covered entities are specified in the HIPAA Privacy Rule as health plans, healthcare clearinghouses, and healthcare providers.

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:

  1. Name
  2. All geographic subdivisions smaller than a state (street address, city, county, zip code)
  3. Dates, including birthdate, admission date, discharge date, and date of death
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary numbers
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers and serial numbers, including license plate number
  13. Device identifiers and serial numbers
  14. Web URL
  15. IP address
  16. Biometric identifiers, including fingerprints and voice
  17. Full face photo
  18. Any other unique identifying number, characteristic, or code

As a result, not all health information acquired by organizations constitutes PHI. For example, phone numbers and residential addresses alone are not PHI. But if this data is connected with details about a health condition, treatment plan, or other particular health information, it would transform from PII to PHI.

In a Bulletin, the Office for Civil Rights (OCR) at the HHS states that healthcare information collected on a regulated entity’s website or app generally is considered PHI even if:

  • The individual doesn’t have an existing relationship with the regulated entity.
  • Data such as IP address or geographic location doesn’t include specific treatment or billing information like dates and types of healthcare services.

The original version of the bulletin assumed that anyone visiting a covered healthcare provider’s website was, is, or will be a patient of the provider. The updated bulletin from March 2024 attempted to clarify these provisions. It introduced subjective intent standards for classifying IP addresses as protected health information (PHI). While maintaining that IP addresses combined with health-related webpage visits could constitute PHI, the update added examples distinguishing scenarios like job postings (non-PHI) from cancer care pages (potential PHI) based on inferred user intent.

However, this created operational challenges for hospitals, as determining visitor intent on unauthenticated pages remained impractical. The updated bulletin did not substantively modify HHS’s core position that IP addresses linked to health-related content could trigger HIPAA obligations, despite the ongoing AHA lawsuit.

The HHS provides examples of what parts of a website or app can contain PHI:

  • User-authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.
  • Some unauthenticated pages include PHI. Whether PHI is being disclosed depends on the visitor’s underlying intentions and whether the page visit relates to the individual’s health care.
  • Mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.

For more details on what qualifies as PHI, visit the HIPAA journal.

The American Hospital Association (AHA) and co-plaintiffs filed a lawsuit on November 3, 2023, challenging the HHS Office for Civil Rights’ December 2022 bulletin. They argued that the HHS bulletin unlawfully expanded HIPAA’s scope by treating data like IP addresses collected from public-facing hospital websites as PHI, exceeding statutory authority and bypassing proper rulemaking procedures.

In June 2024, a judge ruled in favor of the AHA. The ruling stated that HHS overstepped its authority by expanding the definition of PHI to include IP addresses combined with website visits. On August 29, the OCR decided not to appeal the district court’s decision.

Learn more: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

However, it’s crucial to emphasize that the ruling doesn’t vacate other parts of the guidance. The court’s decision was very narrow and only issued in a specific case concerning IP addresses combined with visit data. It doesn’t mean healthcare organizations can downplay HIPAA requirements, freely track users, or ignore HHS’s guidance. Other parts of the bulletin remain in place, like those relating to authenticated pages, such as patient portals.

The issue of protecting PHI in the context of analytical tools hasn’t been settled once and for all. The fundamental issues surrounding the collection and use of PHI by healthcare organizations remain unchanged. While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it alarmingly easy for PHI to inadvertently leak into your website or app. Therefore, it’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI that maintains the status quo. To protect patient privacy and reduce the risk of hefty fines and loss of trust, organizations must remain vigilant about the data they collect and share with analytics vendors.

The requirements for processing PHI help protect patient privacy and make care coordination easier. The HIPAA Privacy Rule ensures that PHI is shared and used only with patient permission or for care coordination between covered entities. Identifiable health information is not considered PHI unless that organization is a HIPAA-covered entity.

In-depth insights with a HIPAA-compliant analytics and data activation platform

Get a free 6-month trial of the all-in-one Piwik PRO Analytics Suite covered by a BAA.

Try out for free

PII and PHI penalties and compliance

Another important area in understanding PII and PHI is the penalties for non-compliance with applicable regulations. As PHI applies specifically to HIPAA-covered entities that possess identifiable health information, using the terms interchangeably can lead to compliance issues. PII and PHI penalties are primarily financial, but in severe cases they may also include incarceration.

PII

To help organizations manage and protect PII appropriately, the National Institute of Standards and Technology (NIST) created the “PII confidentiality impact level” standard, allowing entities to categorize PII into low, moderate, or high-risk levels. The levels are determined by evaluating the potential harm to individuals and the organization if the PII ends up in the wrong hands.

What is high-impact PII for some could be at a low impact level for others. Each organization will have different needs depending on the types of PII they are storing and the way it is organized. For example, Social Security Numbers are more sensitive than phone numbers and may be categorized at a high confidentiality impact level. In addition, a breach involving the information of 30 people will likely be less impactful than one involving 300,000 people.

When a PII breach occurs, businesses must report the incident. US lawmakers have introduced legislation requiring companies to notify the government within 24 hours of a data breach. Many states do not have strict deadlines when businesses report a violation to the government. Data breach notification laws vary state by state. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving PII. Check out the list of Security Breach Notification Laws.

Deliberate, unauthorized disclosure of PII to others may result in incarceration and fines of up to $5,000.

PHI

The HIPAA Security Rule strictly regulates PHI breaches. It “establishes national standards to protect individuals’ electronic personal health information created, received, used, or maintained by a covered entity.”

HIPAA penalties are primarily financial and can be applied to healthcare providers, health plans, healthcare clearinghouses, and all other health organizations and business associates who have violated HIPAA rules.

In the case of PHI, HIPAA-covered entities that face a data breach are legally required to notify the HHS and state agencies within 60 days of the breach. If the breach impacts more than 500 residents of a state, organizations must notify major local media outlets through a press release.

In addition, covered entities must send a written notice in the mail to all impacted individuals and post information on the homepage of their website for at least 90 days. Specific requirements vary by state.

The penalties for HIPAA violations are divided into four tiers based on the level of culpability and intent behind the violation. Each level sets out criminal penalties, a fine, and a jail term, if applicable. HIPAA violation fines can be issued up to a maximum of $25,000 per violation category per calendar year. The minimum penalty is $100 per violation.

How to protect PHI in analytics

Health organizations are obligated to protect their patients’ PHI under HIPAA. You must apply a few safeguarding practices while collecting and processing data online.

1. Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and every company you’ll share your clients’ PHI with that meets the definition of a “business associate.” If you are a health organization and choose to send PHI to a business associate, you must have a written BAA requiring the associate to comply with HIPAA standards. If you don’t want to create a business associate relationship with the vendor or the vendor will not provide a satisfactory BAA, you cannot disclose PHI to that vendor without individuals’ authorization.

2. Provide breach notification to affected individuals, the Secretary, and the media (when applicable).

3. Address the use of analytics and other data platforms in your risk analysis and risk management processes. They are crucial components of HIPAA compliance, aimed at identifying and mitigating threats to electronic protected health information (ePHI).

4. Implement administrative, physical, and technical safeguards following the HIPAA Security Rule to protect PHI.

Administrative safeguards

Purpose: Focus on policies, procedures, and training to ensure the security of ePHI.

Examples:

  • Conducting regular risk analyses to identify potential security threats.
  • Implementing policies for workforce training and security management.
  • Establishing procedures for emergency situations and incident response.
  • Defining roles and responsibilities within the organization related to security.

Physical safeguards

Purpose: Protect the physical environment where ePHI is stored or accessed.

Examples:

  • Implementing facility access controls, such as locks and alarm systems.
  • Securing workstations and devices that handle ePHI.
  • Establishing policies for the proper disposal and reuse of electronic media containing ePHI.

Technical safeguards

Purpose: Implement technologies to secure ePHI from unauthorized access or breaches.

Examples:

  • Access controls to ensure only authorized personnel can view or modify ePHI.
  • Audit controls to track and monitor access to ePHI.
  • Data integrity measures to prevent unauthorized alteration or destruction of ePHI.
  • Encryption and secure transmission protocols for ePHI sent over electronic networks.

5. Work with vendors that support values such as privacy by design. Privacy by design is an approach that integrates data privacy considerations into the design of systems, products, and services from the beginning rather than as an afterthought, ensuring data protection is prioritized alongside functionality. Following these values will help you fully control your data and understand what data you collect, store, and transfer.

6. If you can’t sign a BAA with the vendor, de-identify your PHI for research purposes or marketing by removing all 18 HIPAA identifiers. HIPAA-compliant de-identification methods include Expert Determination and Safe Harbor. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.

It’s important to think through both the legal aspect of data collection in terms of what legal agreements need to be in place with vendors to be in compliance with HIPAA, and the technical aspect of data collection – what data can be stored and where, as well as what data needs to be anonymized prior to storage.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

The obligations of healthcare companies that deal with PHI don’t stop there. HIPAA defines five major rules that all organizations that store, record, or share PHI and ePHI must follow. Read them here:

Piwik PRO provides healthcare organizations with fully HIPAA-compliant analytics. Our platform allows you to securely collect and analyze PHI and ePHI and provide better and more personalized patient experiences.
By signing a BAA with us, you can safely send all types of PHI to your analytics setup. If you prefer, you can de-identify all PHI before sending it to our platform. Either way, you can ensure compliance with regulations.

On top of that, we offer the highest privacy and security safeguards to strengthen your data protection. Learn more about HIPAA compliance with Piwik PRO.

HIPAA marketing compliance: Best practices

When exploring HIPAA-compliant marketing strategies, you must first ensure that you disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. You must obtain explicit written authorization from patients before using their PHI for marketing purposes, which requires a specific, signed consent form. You don’t need authorization to provide essential healthcare services.

Covered entities must have a BAA with the analytics or marketing vendors that they share PHI with. They should also use tools that employ robust security features like user authentication, access controls, audit logs, and end-to-end encryption.

Most analytics platforms, including Google Analytics 4, don’t permit the use of PHI data in their products. These platforms don’t offer BAAs for their standard versions and are not configured to support HIPAA compliance out-of-the-box. It means you must either make an extra effort to avoid passing any trace of PHI to your analytics, or switch to a HIPAA-compliant analytics platform, such as Piwik PRO Analytics Suite.

Read more: Piwik PRO is officially HIPAA-certified!

Remember that data collected from marketing pages and used in retargeting campaigns may constitute PHI. Aside from the 18 types of HIPAA identifiers, including names, addresses, and medical records, user IDs and IPs used for retargeting can easily become PHI. In most cases, using this information for marketing also requires the patient’s authorization and a platform that offers a BAA.

Consider investing in a safe first-party data strategy to use PHI in a way that fully respects HIPAA. Combining data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, and offline sources, opens up many possibilities. 

Here are some tips for building a HIPAA-compliant data ecosystem:

  • Use HIPAA-compliant customer data platforms (CDPs) to centralize and manage data from various sources, creating accurate and trusted patient profiles and focusing on first-party data.
  • Utilize consent management platforms (CMPs) to manage consent forms and ensure data flows align with patient preferences.
  • Limit access to authorized personnel only using role-based access controls to prevent unauthorized exposure.
  • Implement policies for retaining and deleting PHI in accordance with HIPAA guidelines.
  • Adopt policies and procedures for HIPAA compliance beyond technical measures.
  • Inform patients about data collection and use, ensuring transparency and trust.
  • Clearly communicate the benefits of sharing PHI to enhance patient engagement.
  • Regularly monitor data access and changes, maintaining an audit trail to ensure compliance.

I highly recommend using server-side tagging on your website if you’re running digital marketing campaigns that send users to your site. Server-side tagging allows you to scrub PHI/PII from any user data ingested before sending that data back to the vendor.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

Learn more about server-side tagging and tracking with Piwik PRO.

There are many different demands for compliant marketing and analytics under HIPAA. Read more:

Final thoughts

Understanding the scope of PII and PHI will help you to maintain HIPAA compliance and protect patient data, especially if you use third-party platforms like analytics. You will also be able to run compliant marketing activities.

To avoid the potential risks of using popular ad platforms or analytics tools in a highly regulated sector such as healthcare, consider employing marketing strategies that revolve around HIPAA-compliant platforms rather than big tech products that put you at risk of breaches and hefty fines. A first-party data strategy can benefit your organization and help you build a relationship with your patients grounded in trust.

If you’d like to learn more about data activation under HIPAA, contact us. We’ll be happy to present some compliant use cases to you.

Get a free 6-month trial of Piwik PRO Analytics Suite covered by a BAA

Simplify HIPAA compliance for your team with a secure analytics platform that works with ePHI, has a user-friendly interface, and integrates with your favorite tools.

Try out for free

Related posts:

Aleksandra Szczepańska

Senior Content Marketer

Aleksandra is a senior content writer for Piwik PRO’s marketing blog, copywriter, content creator, and former lecturer on content marketing. With 10 years of experience in marketing, she has effectively juggled branding, marketing strategies, and content creation. She uses SEO best practices and digital marketing strategies to help articles rank high. Aleksandra values the impact of a compelling experience in content and employs various techniques in her writing to deliver valuable insight and engage with readers.| LinkedIn Profile

Małgorzata Poddębniak

Senior Content Marketer

Senior content marketer at Piwik PRO, copywriter, translator and editor. She started as a freelancer, gaining experience with creating versatile marketing content for various channels and industries. Later, she began working as a translator and editor, specializing in academic articles and essays, mainly in the field of history and politics. After becoming interested in SEO, she moved on to work as a content writer for a technical SEO agency. While there, she designed the company newsletter and planned and created in-depth articles, practical guides, interviews, and other supporting marketing materials. She joined Piwik PRO with extensive knowledge of technology, SEO, and digital marketing. At Piwik PRO, she writes about analytics, privacy, marketing, personalization, and data management and explains product best practices and industry trends for different industries. | LinkedIn Profile