What Is PHI? Ending The Confusion
What did it take to get most of the healthcare world asking questions about why things like Facebook Ads and Google Analytics might put them at risk of HIPAA compliance? Try a December 2022 HIPAA update advising against Google and Facebook tracking technologies and the FTC serving notice with their $1.5M fine against GoodRx.
And two of the biggest questions marketing and IT leaders have are what exactly is PHI and what's the issue with tracking technologies. We covered why Facebook's and Google's tracking technologies aren't HIPAA-compliant in this post, but today we're going to focus on understanding PHI.
What Constitutes PHI?
The U.S. Department of Health and Human Services (HHS) says the following about the HIPAA Privacy Rule:
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
"Individually identifiable health information" is information, including demographic data, that relates to:
- the individual's past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
For something to be considered PHI, two things must exist:
- At least one of the 18 HIPAA identifiers has to exist.
- There is some health information.
One way for that PHI to result in a HIPAA violation:
- Sharing an identifier combined with health information with a non-compliant destination like Google Analytics, Google Ads, or Facebook Ads.
Let's break this down further by discussing each of the three components.
18 HIPAA Identifiers
A HIPAA identifier is something that can reveal the identity of an individual. I know this is Ray, so I can start associating things with Ray.
HHS provides a complete list of what they consider as things that could individually identify a person. It's no surprise that something like name, email, and phone number make that list, but other not-so-obvious things can reveal an individual's identity. Let's cover a few of those.
Geographic subdivisions smaller than a state
An individual's full address would serve as an identifier, but so would ZIP codes on their own if:
- The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people.
- The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
The Meta Pixel and the tracking technologies that power Google Analytics and Google Ads sit "client-side," which means they are loaded on the physical website. Client-side loading of tracking technologies allows them to intercept personally identifiable information like a visitor's IP address.
Dates directly related to an individual, like birth date, admission date, and discharge date, are considered a way to identify an individual.
The other component required to have data considered to be PHI is health information about the individual. The HIPAA Privacy Rule calls out three categories of Health Information:
- Physical health or mental health or condition
- Provision of health care to the individual
- Payment for the provision of healthcare
Let's cover examples of each of these categories.
Health or condition
A diagnosis of type 2 diabetes or a torn medial collateral ligament would be considered health information. Tracking technologies on a hospital website could capture page visits or videos viewed that could be inferred to determine a visitor's physical health or condition.
Provision of healthcare
A scheduled doctor's appointment or medication prescription would indicate that healthcare is being provided.
Payment for healthcare
Any invoice, bill, or attempt to obtain payment for provisioned healthcare services would be considered health information.
Destinations That Aren't HIPAA-Compliant
This last component is where healthcare providers risk violations when running tracking technologies on their websites.
Suppose you have PHI (identifier + health information about the individual) and send it to a non-compliant destination (like Google or Facebook). In that case, this information sharing has already resulted in class action lawsuits against Meta and several hospitals and the $1.5M FTC fine against GoodRx.
Since Google and Meta don't and won't sign BAAs, it's impossible to use them in a HIPAA-compliant way. Or is it?
A Way to Make Your Ad Platforms HIPAA-Compliant
Digital advertising spend in healthcare is projected to be $18B in 2023. And Facebook and Google are two of the most powerful performance marketing channels. Shutting them off and redistributing the advertising spend will take years of strategic efforts for marketing teams at healthcare providers.
That's where Freshpaint comes in. Freshpaint makes ad platforms and the analytics used to measure their performance HIPAA compliant while giving them the minimum data they need to drive growth effectively. You can learn more about Freshpaint here.