What Is PHI? A Healthcare Marketer's Guide to Protected Health Information
Most healthcare marketing teams believe they know what PHI is. They think of medical records, lab results, diagnosis codes, and prescription histories. They are confident that their marketing operations stay far from that kind of data. After all, the marketing team does not access the EHR. They do not handle insurance claims. They send newsletters, run ad campaigns, and track website traffic.
This confidence has cost the healthcare industry dearly. In nearly every enforcement case since 2023, the organizations involved insisted their marketing tools did not touch PHI. They were wrong. Not because they were handling clinical data, but because their definition of PHI was too narrow. The marketing tools they installed collected PHI automatically, as a standard function of how those tools work.
Protected health information is not limited to what clinicians document. It includes any individually identifiable information that relates to a person's health condition, healthcare services, or payment for healthcare. And in the context of digital marketing, "individually identifiable" extends far beyond names and Social Security numbers.
The Three Words That Turn a Page View into PHI
PHI requires two elements: individual identifiability and health context. When both elements are present in the same data point, you have PHI. The critical insight for marketing teams is that their tools routinely combine these two elements without anyone asking them to.
Individual identifiability includes the obvious identifiers: names, email addresses, phone numbers, Social Security numbers, and medical record numbers. But it also includes less obvious identifiers that marketing tools collect by default. IP addresses are individually identifiable. Device fingerprints are individually identifiable. Unique cookie values that persist across sessions are individually identifiable. Login credentials that tie browsing behavior to a known person are individually identifiable.
HIPAA's Privacy Rule lists 18 types of identifiers. Marketing tools routinely collect at least four of them (IP address, dates, device identifiers, and URLs that function as unique identifiers) without any configuration beyond the default installation.
Health context is where marketing teams underestimate their exposure. Health context does not require a diagnosis code or clinical note. It includes the health condition a person has or might have, the healthcare services they are seeking, and the payment they are making or considering for healthcare. Visiting a page about knee replacement surgery is health context. Clicking "Schedule a Consultation" on a fertility clinic's website is health context. Searching for "anxiety treatment near me" and clicking a Google Ad that leads to a behavioral health provider is health context.
When a marketing analytics tool captures an IP address on a page about cardiac rehabilitation, it has combined an individual identifier with health context. That data point is PHI.
How Marketing Tools Generate PHI Without Your Knowledge
The gap between what marketing teams think their tools collect and what those tools actually collect is the root of healthcare's tracking technology crisis.
Web analytics platforms capture page URLs, referral sources, session duration, and user behavior paths. On a healthcare site, page URLs often contain department names, service lines, or condition categories. A session that visits /services/oncology, then /providers/dr-smith-oncologist, then /patient-resources/chemotherapy-preparation tells a detailed health story. When tied to an IP address or a logged-in user, that session data is PHI.
Ad platform pixels connect ad interactions to website behavior. When a patient clicks a Google Ad for "depression treatment" and lands on a behavioral health provider's site, the ad platform now has the patient's identity (through their Google account) connected to a mental health interest. GoodRx's enforcement case centered on exactly this pattern: Meta Pixel and Google tracking pixels shared prescription drug names, health conditions, and personal identifiers with advertising platforms, resulting in $1.5 million in FTC penalties and a $25 million class action settlement.
Form capture tools collect data that visitors intentionally submit. On a healthcare site, form submissions for appointment requests, consultation inquiries, and event registrations combine contact information (name, email, phone) with health interests (selected department, described symptoms, preferred provider specialty). If the form tool sends this data to a third-party server without a BAA, PHI has been disclosed.
Email marketing platforms link subscriber identity to engagement with health content. When a subscriber opens a newsletter titled "Managing Your Diabetes" or clicks a link about bariatric surgery, the email platform records that a specific person engaged with specific health content. That engagement data is PHI.
Session replay and heatmap tools capture everything a visitor does on a page: mouse movements, clicks, scrolling, form field interactions, and sometimes keystrokes. On healthcare pages, these recordings can capture patients entering symptoms, selecting conditions from dropdowns, or navigating through health-specific content.
The December 2022 Guidance That Changed Everything
For years, healthcare organizations operated under the assumption that their public-facing websites were outside HIPAA's reach. The logic was that unauthenticated visitors (people who had not logged in) were not patients, and the website was a marketing channel, not a clinical system.
The HHS Office for Civil Rights upended this assumption with its December 2022 guidance on tracking technologies. The guidance clarified two points that directly affect marketing teams.
First, HIPAA applies to tracking technologies on websites maintained by covered entities and their business associates. This includes publicly accessible pages, not just authenticated patient portals.
Second, the combination of an IP address with a visit to a health-related webpage can constitute PHI, even on an unauthenticated page. A visitor does not need to log in, provide their name, or identify themselves in any explicit way. The IP address combined with the health context of the page they viewed is sufficient.
This guidance crystallized what the enforcement cases had already demonstrated. The wave of settlements that followed, totaling over $193 million, confirmed that regulators were serious about applying this interpretation.
PHI in Places Marketing Teams Never Look
Beyond the obvious marketing tools, PHI can accumulate in parts of the tech stack that marketing teams rarely audit.
Tag managers load scripts from multiple vendors. A single Google Tag Manager container might load analytics, advertising pixels, chat widgets, A/B testing tools, and session replay scripts. Each loaded script has its own data collection behavior. The marketing team configured the tag manager, but the data collection happens in the scripts the tag manager loads.
CDN and hosting logs record IP addresses, timestamps, and requested URLs. On a healthcare site, server access logs contain the same IP-plus-health-context combination that creates PHI in analytics tools.
Chat widgets log conversations between visitors and support agents. When a visitor asks about insurance coverage for a specific procedure or inquires about wait times for a specialist, that chat transcript contains PHI. If the chat platform is a third party without a BAA, the transcript has been disclosed to an unauthorized party.
Third-party scripts loaded by other scripts (tag chaining) can introduce data collection that no one on the marketing team authorized. A social sharing widget might load a tracking pixel. An analytics plugin might include a data enrichment service. Each additional script is another potential PHI disclosure.
Building a PHI-Aware Marketing Operation
Understanding what PHI is changes how you operate, not just which tools you use.
Audit every data flow, not just every tool. The question is not "which tools do we use?" but "where does every piece of data go?" A web scanner that continuously monitors your site reveals every script, cookie, and tracking endpoint active on every page. This is the only reliable way to maintain visibility into your PHI exposure surface, because that surface changes every time a marketer adds a tag, a plugin updates, or a third-party script loads another script.
Route data through server-side infrastructure. Server-side tracking ensures that your servers process data before any third party receives it. This gives you the ability to identify PHI in the data stream and strip, transform, or block it before it leaves your environment. Client-side tools skip this step entirely, which is why every major enforcement case involved client-side tracking.
Require BAAs from every vendor that touches data. Any platform that receives, processes, stores, or transmits data from your healthcare site is potentially handling PHI. Without a BAA, the vendor has no HIPAA obligation to protect the data and no liability if it is exposed. This applies to analytics platforms, ad tools, email providers, chat widgets, form builders, and any other marketing technology that collects visitor data.
Implement consent-gated data flows. Consent management is evolving from a European regulatory requirement into a foundational element of healthcare compliance. State privacy laws are expanding consent requirements. Patient expectations around data control are increasing. Server-side consent gating ensures that data only flows to downstream systems after consent has been verified at the infrastructure level, not through client-side JavaScript that can be bypassed or delayed.
FAQ
Is an IP address alone considered PHI?
An IP address by itself is an identifier under HIPAA but does not constitute PHI without health context. However, the December 2022 OCR guidance clarified that an IP address captured on a healthcare website's condition-specific page combines the identifier with health context, creating PHI. In practice, this means IP addresses collected by marketing tools on healthcare sites are almost always PHI because the site itself provides the health context.
Does PHI only apply to current patients?
No. PHI applies to any individually identifiable health information, regardless of whether the person is a current, former, or prospective patient. A website visitor who has never been a patient but browses your services pages and submits a consultation request has generated PHI through that interaction. HIPAA does not limit protection to established patient relationships.
Are website page views PHI?
A page view becomes PHI when it combines an individual identifier (like an IP address) with health-related content (like a specific condition, service, or provider page). On a healthcare website, most page views beyond the homepage carry health context. When marketing tools capture these page views alongside visitor identifiers, the resulting data qualifies as PHI.
How is PHI different from PII?
PII (personally identifiable information) is any data that can identify a specific person. PHI is a subset of PII that also relates to health conditions, healthcare services, or healthcare payment. All PHI contains PII, but not all PII is PHI. The distinction matters because PHI triggers HIPAA requirements, including BAAs, breach notification, and specific security safeguards, that PII alone does not. See our detailed PHI vs. PII comparison for a deeper analysis.
Can marketing teams handle PHI if they have HIPAA training?
Training does not authorize PHI handling. HIPAA requires administrative, physical, and technical safeguards for any PHI processing. Marketing teams need compliant infrastructure (server-side tracking, BAA-covered tools, consent management), not just awareness. The BetterHelp case demonstrated what happens when governance relies on personnel rather than architecture: a recent college graduate with no marketing training was placed in charge of user data decisions, contributing to a $7.8 million FTC enforcement.
PHI is not confined to clinical systems. It is generated every time a marketing tool connects an identifiable visitor to health-related content on your website. If your team is evaluating its marketing technology for PHI exposure, Ours Privacy provides the server-side infrastructure and continuous monitoring to ensure PHI never reaches unauthorized systems.
Related reading:
PHI vs. PII: What Healthcare Marketers Need to Know
What Is the HIPAA Minimum Necessary Standard? Marketing Implications
What Is a BAA and Why Does Your Analytics Vendor Need One?
Is Google Analytics HIPAA Compliant?
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.