What Is Protected Health Information (PHI)? Ending The Confusion

A December 2022 bulletin from HHS made it clear: using tools like Google Analytics and the Meta Pixel could expose organizations to HIPAA violations. Then came the FTC’s $1.5 million fine against GoodRx for sharing sensitive user data with ad platforms.

Since then, marketing and IT teams across the industry have been asking two big questions:

1. What exactly counts as PHI?
2. Why do common tracking tools put us at risk?

In this post, we’re unpacking how marketing data can become PHI and how that data becomes dangerous.

What Is PHI?

The U.S. Department of Health and Human Services (HHS) has a complex, somewhat confusing explanation of PHI in the HIPAA Privacy Rule:

"Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral is considered PHI.

Breaking this down further, "individually identifiable health information" is information, including demographic data, that relates to:

• the individual's past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

To put that in simpler terms, for something to be considered PHI, two things must exist:

• At least one of the 18 HIPAA personal identifiers (more on this below), and
• Health information.

As an example, if you know someone's email address and nothing else about them, that is not PHI. That's just a personal identifier. But if you know ray@email.com has diabetes, that is PHI.

The 18 Identifiers That Make Up One Half of PHI

A HIPAA identifier is something that can reveal the identity of an individual. I know this is Ray, so I can start associating things with Ray.

HHS provides a complete list of what they consider as things that could individually identify a person. It's no surprise that something like name, email, and phone number make that list, but other not-so-obvious things can reveal an individual's identity. Let's cover a few of those:

1. ‍Geographic subdivisions smaller than a state. An individual's full address would serve as an identifier, but so would ZIP codes on their own if: the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people. AND, the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000‍
2. IP Address. The Meta Pixel and the tracking technologies that power Google Analytics and Google Ads sit "client-side," which means they are loaded on the physical website. Client-side loading of tracking technologies allows them to intercept personally identifiable information like a visitor's IP address. ‍
3. Dates. Dates directly related to an individual, like birth date, admission date, and discharge date, are considered a way to identify an individual.
4. Device identifiers and serial numbers. Device ID, which is commonly tracked by digital marketing tools, is a personal identifer.

Any of those identifiers, plus the more obvious ones, can become PHI when combined with health information.

What Counts as Health Information Under HIPAA

The other component required to have data considered to be PHI is health information about the individual. The HIPAA Privacy Rule calls out three categories of Health Information:

• Physical health or mental health or condition. A diagnosis of type 2 diabetes or a torn medial collateral ligament would be considered health information. Tracking technologies on a hospital website could capture page visits or videos viewed that could be inferred to determine a visitor's physical health or condition.
• Provision of health care to the individual. A scheduled doctor's appointment or medication prescription would indicate that healthcare is being provided.
• Payment for the provision of healthcare. Any invoice, bill, or attempt to obtain payment for provisioned healthcare services would be considered health information.

Health information covers a wide range of details—from conditions to care to payment—and when paired with identifiers, it becomes PHI.

How Tracking Tools Turn PHI into a HIPAA Violation

So, how does this all become a HIPAA violation that marketers need to be worried about?

It's unfortunately quite simple: If your organization is sharing an identifier combined with health information with a non-compliant destination like Google Analytics, Google Ads, or Facebook Ads, that could be a HIPAA violation.

What makes it risky for marketers is that those tools, by default, collect both personal identifers and health information. This is exactly why there's been a long list of marketing-related HIPAA violations, fines, and lawsuits since 2022.

Destinations That Aren't HIPAA-Compliant

This last component is where healthcare providers risk violations when running tracking technologies on their websites.

Suppose you have PHI (identifier + health information about the individual) and send it to a non-compliant destination (like Google or Facebook). In that case, this information sharing has already resulted in class action lawsuits against Meta and several hospitals and the $1.5M FTC fine against GoodRx.

Since Google and Meta don't and won't sign BAAs, it's impossible to use them in a HIPAA-compliant way. Or is it?

Learn more: A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites

A Way to Make Your Ad Platforms HIPAA-Compliant

Digital advertising spend in healthcare continues to climb—reaching $17 billion in 2024 and projected to hit $19.6 billion by the end of 2025. That’s a massive investment in platforms like Google and Facebook, which is why turning them off isn’t a simple option for most healthcare marketers. Shutting them off and redistributing the advertising spend will take years of strategic efforts for marketing teams at healthcare providers.

That's where Freshpaint comes in. Freshpaint makes ad platforms and the analytics used to measure their performance HIPAA compliant while giving them the minimum data they need to drive growth effectively. You can learn more about Freshpaint here.

Straight Answers on PHI from a Healthcare Privacy Lawyer

We asked a Healthcare Privacy lawyer at Faegre Drinker, Dori Cain, for answers to the most common PHI-related questions. Here's what she had to say:

1. Who is responsible for preventing PHI from being sent to a vendor that isn't a HIPAA business associate?
   
   1. Dori's response: OCR is always going to after the covered entity. So if you are a covered entity, you need to have total control over your PHI.
2. Is an ad click ID considered PHI?
   
   1. Dori's response: An Ad Click ID is very similar to an IP address. So it uniquely identifies an individual. However, Ad Click ID on its own is not connected to any healthcare information or the payment of healthcare services. In that instance it would not constitute PHI.
3. If you send two identifiers, say an email address and a device ID, back to an ad platform, would that be considered PHI?
   
   1. Dori's response: For it to be considered PHI, you need to have those identifiers be associated with health information. And in that context, if you're not connecting that to the provision or payment of health care, then it does not constitute PHI under HIPAA.

If you need more, read Dori's answers to many commonly asked healthcare privacy questions here: Ask a Healthcare Lawyer: HIPAA Compliance for Healthcare Marketers.