“Data is the foundation, and personalization is the outcome.”
Only clean data can provide personalization through your ad campaigns. As a healthcare marketer, you need to be more conscious about your user data than ever before.
Why? Since you deal with sensitive health information, such as PHI and PII, it is crucial that you protect your users’ privacy.
Scrubbing PHI or hashing PII isn’t just a legal requirement; it’s how you stay compliant and competitive. It keeps patients’ information safe, but it also opens the door to responsible, privacy-first marketing.
This guide will walk you through the 18 PHI (Protected Health Information) identifiers, show you how they impact your campaigns, and give you practical steps to stay compliant with HIPAA.
The consequences can be serious, but the good news is, with the right knowledge, you can avoid them.
Before jumping to a conclusion, first know what makes it “protected information” under HIPAA.
What Is Protected Health Information (PHI)?
PHI is any data connected to an individual’s health that can identify them, more than just medical records. It includes anything linking a person to their care, diagnosis, or payment, such as dates, locations, or contact info.
If you are handling patient emails or phone numbers linked to health services, you’re working with PHI, whether you realize it or not. It’s crucial to distinguish PHI from PII, a difference that greatly impacts how you manage data and design campaigns.
PHI vs. PII: The Distinction that Matters
- PII (Personally Identifiable Information) is the data that identifies a person, like an email or phone number.
E.g.: Phone number, email for a newsletter. - PHI (Protected Health Information) is the data that relates a person’s identity (PII) to their health details.
E.g., email or phone number associated with diagnosis for thyroid treatment or any health condition.
Note: Collecting PHI or PII is no offense against HIPAA. (You just shouldn’t send it to Meta without hashing or scrubbing them; that’s where you’ll cross the line.)
This distinction matters a lot in marketing. If you’re running ads and only using PII, you have more flexibility over ad campaigns.
To stay compliant (and avoid costly mistakes), you need to know exactly what the law considers PHI.
Let’s break down the full list of 18 PHI identifiers and, more importantly, how each one could quietly trip up your marketing campaigns.
Deep Dive: The Full List of 18 PHI Identifiers
Here’s the official list of 18 PHI identifiers under HIPAA. If any of these are present in your data, and they’re linked to health information, you’re handling PHI.
The above image lists the 18 PHI identifiers. However, the top 7 phi identifiers that healthcare marketers encounter are: Names, geographic data, dates, phone numbers, email addresses, web URLs, IP addresses, and sometimes photos.
“One PHI identifier” is enough to get your ad accounts blocked forever.
Impact of PHI Identifiers on Ad campaigns
Let’s break down the identifiers you’re most likely to encounter and what you should do about them.
1. Names – Name of a person or patient
Why it matters: A person’s name (PII) can be potentially collected through a health-related form or any lead form. This lead form would also be collecting information about the health-related symptoms or conditions (PHI). This gets tracked by the pixel or sent via server-side CAPI to ad platforms. This combination becomes sensitive data and results in Meta blocking your ad account.
What to do: You can collect the data. However, don’t send the form_submission events data to ad platforms because they can reveal personal info. Instead, hide or remove names from forms before sharing data with ad platforms.
Pro tip: If you are a healthcare marketer, remove your pixel; it is the silent culprit.
2. Geographic Data – Smaller Than a State
Why it matters: Sending full ZIP codes or city-level locations alongside someone’s health information might seem harmless, but it can violate Meta’s advertising policies. When combined, these data points can start to identify individuals, which crosses a privacy line that Meta takes seriously.
What to do: Follow Safe Harbor guidelines by only sharing 3-digit ZIP codes, and populations over 20,000 will be safer to use geographic data. This helps protect user privacy and keeps your tracking compliant.
Pro Tip: If you think the Safe Harbor method is time-consuming, then here’s the shortcut
3. All Elements of Dates (Except Year)
Why it matters: Sharing things like birth dates, admission dates, or appointment times might seem routine, but when paired with health-related data, they become sensitive identifiers. Meta sees this as a privacy risk, which can get your ad campaigns flagged or restricted.
What to do: To stay compliant, only collect the month and year; strip out specific dates like exact birth or appointment days from your tracking systems to avoid triggering privacy violations.
4. Phone Numbers
Why it matters: When someone enters their phone number in a health form, it’s not just contact info anymore; it’s linked to their health condition. Sharing this prohibited data with Meta is a privacy risk, which can trigger ad restrictions or policy violations.
What to do: Always hash phone numbers (PII) before sharing them with ad platforms like Meta. And avoid auto-filling them into remarketing tools, where they can easily be linked back to health data.
Pro Tip: Don’t send Direct PII to Meta. Always hash them with SHA-256.
5. Email Addresses
Why it matters: An email alone is just PII. When direct PII & PHI data is shared with Meta via pixel, Conversions API, or even CRM integrations, it doesn’t just flag policy violations. It triggers Meta’s automated PHI detection systems, puts your account under scrutiny, and can lead to ad rejections, learning phase disruptions, or full account disablement.
What to do: Always hash emails before adding them to custom audiences, and never send email addresses directly through pixels to keep people’s info safe.
Pro tip: Use privacy-compliant event parameters like user_id or hashed emails for retargeting, not raw contact info. Meta doesn’t need to see who the person is to optimize.
6. Social Security Numbers (SSNs)
Why it matters: Even if you’re not directly collecting Social Security Numbers, sharing them alongside marketing data is a serious no-go. It’s a major privacy violation that can cause big trouble for your campaigns and your brand’s trust.
What to do: Never keep or track Social Security Numbers in your analytics, CRM, or ad tools. Ensure that you remove them to protect your privacy.
7. Medical Record Numbers
Why it matters: Sharing patient IDs in URLs, CRM links, or API data might expose someone’s medical history. These IDs directly connect to personal health information, so it’s essential to keep them secure and out of public or marketing channels.
What to do: Before sending data to analytics or ads, remove medical record numbers and use neutral or coded IDs instead to keep things private and secure.
8. Health Plan Beneficiary Numbers
Why it matters: Even without direct details, this info can hint at someone’s health conditions or treatments just by the type of plan they have.
What to do: Make sure to remove it right when you capture leads to keep things safe.
9. Account Numbers
Why it matters: Patient portal accounts or health app IDs might seem like just usernames, but when tied to health info, they can reveal someone’s identity. That’s why it’s important to keep these IDs secure and avoid sharing them with marketing platforms.
What to do: Avoid putting account numbers in URLs, cookies, or UTM tags. Use anonymous session tracking to protect user privacy.
10. Certificate/License Numbers
Why it matters: Licenses like medical professional IDs or patient cards, such as cannabis cards, might seem like simple credentials, but they can reveal a lot about someone’s health. It’s important to handle them with care and keep them out of marketing data.
What to do: Try not to collect license or certificate IDs in your campaigns, especially when they’re linked to things like prescriptions. Keeping this info out helps protect people’s privacy and keeps your ads compliant.
11. Vehicle Identifiers and Serial Numbers
Why it matters: Sometimes license plate numbers from healthcare transport vehicles get captured by accident in photos or forms. Even though it might seem harmless, this info can be sensitive, so it’s best to avoid collecting or sharing it in any marketing materials.
What to do: Avoid tracking or saving this kind of info altogether. If it appears in images or forms, make sure to blur or hide it to keep people’s privacy safe.
12. Device Identifiers or Serial Numbers
Why it matters: Device IDs from things like wearables or health apps might seem harmless on their own, but when combined, they can reveal personal health information. That’s why this kind of data needs to be handled carefully to protect privacy and stay compliant.
What to do: Use anonymized device IDs to keep things private, and avoid mixing device data with health details in your tracking. This helps protect people’s information and keeps your marketing compliant.
13. Web URLs
Why it matters: URLs that include details like /conditions/hypertension/thank-you?name=John can accidentally reveal personal health info through the web address. It’s important to avoid putting sensitive info in URLs to keep data private and secure.
What to do: Always keep URLs free of personal info; never include health conditions or names in the parts sent to analytics or pixels. This helps protect privacy and keeps your data safe.
Pro Tip: Scrub the sensitive data, such as the condition name, from the URLs before sending them to Meta.
14. IP Addresses
Why it matters: If someone’s IP address is recorded when they visit a health-related page, it can be considered personal health information. So, it’s important to handle IP data carefully to protect privacy.
What to do: Use IP anonymization options in tools like GA4 to keep visitor data private. Avoid storing or sharing full IP addresses in your marketing systems to protect people’s privacy.
15. Biometric Identifiers (Fingerprints, Voiceprints, etc.)
Why it matters: Some health apps let users log in using their voice or fingerprint, which feels convenient but also means very sensitive data is involved. If that biometric info gets leaked, it’s a major HIPAA violation and a huge privacy risk. So it’s crucial to keep this data locked down tight.
What to do: Steer clear of marketing that mentions biometric data, and never use this info to personalize ads. Keeping biometric details out of your campaigns helps protect privacy and stay compliant.
16. Full-Face Photos and Similar Images
Why it matters: If a photo clearly shows someone’s identity in a health-related context, it counts as personal health information. That means you need to handle it carefully to respect their privacy and stay compliant.
What to do: Always get clear permission before using testimonials with photos, and blur or hide patient images to protect their privacy.
17. Any Other Unique Identifying Number, Characteristic, or Code
Why it matters: Internal patient IDs, cookie IDs, or CRM tags might just seem like codes, but when they can be linked back to someone’s health information, they become protected health info (PHI). It’s important to treat these identifiers carefully to keep personal data secure and compliant.
What to do: Always hash internal IDs and never connect them to health data across different platforms to keep info safe and private.
18. Device or Media Serial Numbers
Why it matters: Even something like a diagnostic machine’s serial number can point back to a patient if it’s linked to their records. While it might seem harmless, this kind of info can indirectly reveal who they are, so it needs to be protected.
What to do: Make sure device or media serial numbers never show up in analytics, ad platforms, or any public reports. Keeping these details private helps protect people’s information.
Once you’ve flagged and stripped risky data, the next step is making sure what does get sent is HIPAA-safe.
Steps to Build Campaigns to Be HIPAA Compliant
1. Run a PHI Identifier Checklist on Your Campaign Data
Before you send any data to Meta (via pixel or Conversions API), audit it against the 18 HIPAA identifiers. This means checking:
- Event names (e.g., Book Appointment)
- URL parameters (e.g., /treatment/diabetes)
- Form fields (especially location, full name, dates)
Personal tip’ve found that a simple spreadsheet checklist can catch most issues before they become problems.
2. Build a Workflow to Flag & Strip PHI
Set up a system that:
- Identifies risky event parameters (like ZIP + condition + visit date)
- Strips out sensitive data before sending to Meta or CRMs
- Ensures your marketing team, tech team, and agency are all on the same page
First-party data tools can help automate this workflow, which will be time-effective.
3. Pseudonymize, Don’t Personalize
Instead of directly sending emails, names, or device IDs, use:
- Hashed identifiers (SHA-256) for emails/phones
- Anonymous cohorts for retargeting (e.g., “visited wellness page”)
- Custom user IDs that are pseudonymized, not tied to actual PHI
This way, you can still:
- Track customer journeys
- Run re-engagement campaigns
- Optimize conversions using first-party data
These are the steps that are going to save you a lifetime in healthcare marketing.
But, the truth is, you can fast-forward the whole process with just a toggle-on
Conclusion
Mastering the 18 PHI identifiers isn’t just about avoiding fines; it’s about building trust and running smarter, safer campaigns.
Since we have worked with several clients and have the experience that we hold, the marketers who treat compliance as a competitive advantage are the ones who win in the long run.
Privacy-first strategies aren’t just the future; they’re the present. Start now, and you’ll be ready for whatever comes next.
