PHI vs PII: What Healthcare Marketers Need to Know
An email address is PII. An email address tied to an appointment on a cardiology department's scheduling page is PHI. The difference between those two sentences is the difference between a standard privacy obligation and a potential HIPAA violation carrying six-figure penalties.
Most marketing teams understand PII. They have spent years working with GDPR consent flows, CAN-SPAM compliance, and privacy policies that disclose what personal data they collect. But healthcare marketers operate under an additional layer of regulation where a familiar data point, one that looks identical in a database column, carries radically different legal weight depending on context. That context is what separates PII from PHI, and misunderstanding it has cost the healthcare industry more than $193 million in enforcement actions and settlements since 2023.
The Same Data Point, Two Different Legal Universes
PII (personally identifiable information) is any data that can identify a specific individual. Names, email addresses, phone numbers, IP addresses, device identifiers, Social Security numbers. PII is governed by a patchwork of laws: state privacy statutes, the FTC Act, CCPA/CPRA in California, GDPR for EU residents, and sector-specific regulations. The obligations are real, but they center on notice, consent, and reasonable data protection.
PHI (protected health information) is a narrower category with a higher compliance bar. Under HIPAA, PHI is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. It includes the same identifiers as PII (names, addresses, dates, account numbers) but only when those identifiers are linked to health conditions, treatments, services, or payment for healthcare.
The critical distinction: context determines classification. An IP address collected by a retail website is PII. That same IP address collected by a hospital website, where the visitor is browsing a page about substance abuse treatment, may constitute PHI. The identifier has not changed. The health context around it has.
This is where healthcare marketing teams get into trouble. Marketing tools do not distinguish between these contexts. Google Analytics collects IP addresses the same way on a shoe store's website and a cancer center's website. Meta Pixel fires the same tracking events whether someone clicks "Add to Cart" or "Schedule a Consultation with Our Oncologist." The tools treat all data as PII at most. HIPAA treats the healthcare subset as PHI, with an entirely different set of rules.
Where the Two Categories Overlap and Diverge
PII and PHI share a common set of identifiers. HIPAA's Privacy Rule lists 18 specific identifiers that, when connected to health information, constitute PHI. These include names, geographic data smaller than a state, dates (birth, admission, discharge, death), phone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, URLs, IP addresses, biometric identifiers, and full-face photographs.
Every one of those is also PII. The overlap is nearly complete at the identifier level. The divergence happens in three areas.
Regulatory authority. PII violations are enforced by the FTC, state attorneys general, and sometimes sector-specific regulators. PHI violations fall under HHS Office for Civil Rights (OCR) for HIPAA enforcement, with additional FTC authority under the Health Breach Notification Rule for entities not covered by HIPAA. Different agencies, different investigation processes, different penalty structures.
Consent frameworks. PII generally requires notice and opt-out rights (or opt-in under GDPR). PHI under HIPAA requires a signed authorization for most marketing uses, with limited exceptions for treatment communications. A cookie banner that satisfies CCPA does not satisfy HIPAA. They are separate consent regimes with different legal foundations.
Vendor obligations. Sharing PII with a vendor requires a data processing agreement and reasonable security measures. Sharing PHI with a vendor requires a Business Associate Agreement (BAA) that imposes HIPAA's full regulatory framework on the vendor, including breach notification requirements, minimum necessary standards, and potential civil and criminal penalties for noncompliance. A vendor that handles PII is a service provider. A vendor that handles PHI is a Business Associate with direct regulatory liability.
Three Words That Turn an IP Address into PHI
The December 2022 OCR guidance on tracking technologies crystallized a principle that had been legally present but practically ignored: health context transforms standard identifiers into PHI. The guidance stated that HIPAA-regulated entities may not use tracking technologies in ways that disclose PHI to tracking technology vendors without proper authorization or a valid HIPAA exception.
The practical implication for marketing teams is significant. When a visitor lands on a hospital website and browses a page titled "Breast Cancer Screening Options," the combination of their IP address (an identifier) and the page content (health context) creates PHI. If a tracking pixel on that page sends the visitor's IP address, device fingerprint, or cookie ID to Google or Meta alongside the page URL, that transmission is a potential HIPAA violation.
This is not a theoretical concern. Advocate Aurora Health paid $12.25 million to settle a class action after installing Meta Pixel and Google Analytics on its website and patient portal. The tools were deployed to "better understand patient needs." They operated exactly as designed, sending behavioral data, including which health-related pages visitors viewed, to Meta and Google. Approximately 3 million patients were affected between 2017 and 2022. Source
Kaiser Permanente's $47.5 million settlement in 2025 involved an even broader exposure. Third-party tracking code on Kaiser's websites, patient portals, and mobile apps transmitted search terms, medical histories, and communications with healthcare professionals to Google, Microsoft, Meta, and X. The tracking affected 13.4 million members across nine states. Source
In both cases, the data being collected included standard PII identifiers. What made those identifiers PHI was the healthcare context in which they were collected and the health-related information attached to them.
Why Marketing Teams Confuse the Two (and Why It Matters)
The confusion between PHI and PII is not just semantic. It drives real architectural decisions that create compliance gaps.
The PII playbook does not protect you. Marketing teams that have built mature PII compliance programs, with consent management platforms, privacy policies, and data processing agreements, often assume those controls extend to PHI. They do not. A consent management platform that collects cookie opt-ins satisfies PII consent requirements but does not constitute HIPAA authorization. A data processing agreement with a vendor is not a BAA. The infrastructure that protects PII is necessary but insufficient for PHI.
"We don't collect medical records" is not the standard. Teams that equate PHI with clinical data (lab results, diagnoses, prescriptions) underestimate how broadly HIPAA defines health information. Browsing behavior on a healthcare website, appointment scheduling data, newsletter engagement with health-specific content, and even the act of creating a patient portal account all generate PHI when combined with identifiers. The standard is not whether you collected a medical record. The standard is whether an identifier was linked to any health-related context.
Analytics tools do not know the difference. Google Analytics, Meta Pixel, Hotjar, Mixpanel, and every other standard analytics tool collect the same data regardless of the website's industry. They cannot distinguish PHI from PII because the distinction depends on the website's context, not the data format. This means healthcare marketing teams must apply controls at the architectural level, preventing health-context data from reaching tools that are not covered by a BAA.
Building a Marketing Stack That Respects the Distinction
Understanding PHI vs PII is not an academic exercise. It should drive how healthcare organizations select vendors, architect data flows, and manage consent.
Audit your data flows for health context. Map every point where an identifier (email, IP, cookie, device ID) could be combined with health-related information. This includes page URLs containing condition names, form fields capturing health interests, audience segments organized by service line, and event names that reference treatments. Each of those combination points is where PII becomes PHI.
Require BAAs from every vendor that touches PHI. If a vendor receives identifiers alongside health context, that vendor needs a BAA, not just a data processing agreement. This includes analytics platforms, tag managers, email tools, form builders, chat widgets, and session replay tools. A comprehensive BAA covers the full data pipeline: collection, processing, storage, and transmission.
Use server-side architecture to control what leaves the browser. Client-side tracking sends data through the visitor's browser to third-party servers. This is the mechanism that enabled every enforcement case referenced above. Server-side architecture routes data from your servers to vendor systems. The browser never communicates directly with Google, Meta, or any third party. You control exactly what data reaches each destination, and you can strip health context before it leaves your infrastructure.
Implement consent that meets both standards. Cookie consent satisfies PII requirements. HIPAA authorization satisfies PHI requirements. Healthcare organizations need both, and they need them enforced server-side, not just through client-side JavaScript that can be delayed or bypassed. Consent and privacy management is the next frontier of healthcare compliance, with state health privacy laws expanding requirements beyond what HIPAA alone mandates.
Scan your website continuously. Your tracking surface changes every time a marketing team member adds a script, a plugin updates, or a third-party tag loads additional tags. A web scanner that crawls your site on an ongoing basis detects every cookie, script, and tracking pixel, flagging which ones lack a BAA and which ones are sending data to platforms that should not receive PHI.
FAQ
Is all PII also PHI?
No. PII becomes PHI only when it is linked to health information and handled by a HIPAA-covered entity or business associate. An email address in a retail marketing database is PII. That same email address in a hospital's email campaign segmented by "Cardiology Patients" is PHI. The identifier is the same; the health context and the entity handling it determine the classification.
Does HIPAA apply to PII that is not health-related?
HIPAA only applies to PHI. If a healthcare organization collects data that has no connection to health conditions, treatments, or payment for healthcare, that data is PII but not PHI. However, on a healthcare website, the line between health-related and non-health-related data is often blurry. A "Contact Us" form on a hospital website generates PII, but if the form includes a dropdown for "Reason for Visit," the submission becomes PHI.
Can I use the same consent platform for both PII and PHI compliance?
A consent management platform can manage both, but the consent flows must be separate and meet different legal standards. Cookie consent (PII) typically follows an opt-in or opt-out model defined by state or international privacy law. HIPAA authorization (PHI) requires specific content, including a description of the information to be used, who will use it, the purpose, and an expiration date. One checkbox cannot satisfy both requirements.
What happens if I treat PHI as PII and only apply PII protections?
You are likely violating HIPAA. PII protections (privacy policies, data processing agreements, opt-out mechanisms) do not meet HIPAA's requirements for BAAs, minimum necessary standards, breach notification timelines, or authorized disclosures. The gap between PII compliance and PHI compliance is where enforcement actions happen.
Do state health privacy laws change the PHI vs PII distinction?
Yes. Laws like Washington's My Health My Data Act expand the definition of health data beyond HIPAA's PHI to include consumer health data held by entities that are not HIPAA-covered. This means data that is PII under HIPAA (because the entity is not covered) could be regulated health data under state law. The regulatory landscape is expanding, and the trend points toward broader protection of health-related data regardless of who holds it.
The distinction between PHI and PII is foundational to every compliance decision a healthcare marketing team makes. Getting it wrong does not just create regulatory risk. It means your entire vendor stack, consent architecture, and data governance model may be built on the wrong assumptions. If your organization needs to evaluate whether its marketing data flows properly distinguish PHI from PII, Ours Privacy provides server-side infrastructure and consent management designed for healthcare compliance.
Related reading:
What Is PHI? A Healthcare Marketer's Guide
What Is a BAA and Why Does Your Analytics Vendor Need One?
HIPAA and Marketing: What the Privacy Rule Actually Says
Cookie Consent vs HIPAA Authorization
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.