What Is Considered PHI Under HIPAA? A Guide to Staying HIPAA-Compliant

Today’s marketing funnels collect more user data than ever; forms, tracking pixels, CRMs, and retargeting tools. But here’s the catch: if you send this data to platforms like Meta (Facebook) without filtering out sensitive data, you could be violating privacy laws like HIPAA and also your users privacy.

That’s where things get tricky for marketers.

Most of the marketers forgot to close the loop, as they are not clear about where and how things are falling apart. They don’t know how to make the marketing funnel HIPAA-compliant.

Let’s start with the very basic understanding of HIPAA, more about the sensitive data (PHI and PII), 18 phi identifiers, and finally how to create HIPAA friendly campaigns.

What is HIPAA? Why It Matters for Marketers?

Source: The HIPAA Journal; Healthcare data breaches as of October 24, 2024

“In 2024, an average of 758,000 protected health records were exposed to HIPAA violations every single day at a cost exceeding $9.8 million per breach.”

HIPAA stands for the Health Insurance Portability and Accountability Act, passed back in 1996, mainly to protect people’s health information and make sure it stays private. Originally, HIPAA was about hospitals, clinics, and insurance companies.

But as digital marketing grew, the law’s reach started to include anyone handling health-related data, including marketers.

Why is HIPAA suddenly a marketer’s problem?

For years, marketers could run campaigns for health brands without worrying much about HIPAA. But now, with platforms like Meta under pressure (after facing hundreds of lawsuits) to protect user privacy, the rules have changed.

Meta’s new rules mean marketers must avoid sharing Protected Health Information (PHI) and direct Personal Identifier Information (PII) (without hashing) for ad optimization.

This means no sharing or leveraging any individually identifiable health data within campaigns to stay compliant and to avoid account bans or ad disapprovals.

It’s not just about compliance anymore;  it’s about keeping your campaigns live.

The shift: HIPAA is not a barrier for performance marketers

HIPAA is not created to block you from running high-performing campaigns. But instead, the law was brought in to protects people’s privacy and keep it discreet.

The typical mindset of marketers in healthcare is that it is difficult or nearly impossible to track valuable user behavior and send these signals to Meta for optimization for better conversion.

In reality, that is not true. You can still track and send high-quality signals to Meta. But remember not to cross the HIPAA/Meta guidelines, which are not sharing PHI or Direct PII. (So let’s get the microscopic lens on.)

What is considered PHI under HIPAA?

Let’s look into what is happening. 

PHI is not just the medical records

To be honest, you don’t need to be collecting medical records to be handling PHI.

If your Meta pixel is firing on a landing page about GLP-1s, TRT, lap testing, or even mental health coaching, and it includes something like an email or phone number, Meta sees that as a problem.

So… What is PHI for HIPAA?

PHI (Protected Health Information) = Any health-related info + something that identifies the person.

If you are handling patient emails or phone numbers linked to health services, you’re working with PHI, whether you realize it or not. It’s crucial to distinguish PHI from PII, a difference that greatly impacts how you manage data and design campaigns.

PHI vs. PII: The Distinction that Matters

PII (Personally Identifiable Information) is the data that identifies a person, like an email or phone number.
.g.: Phone number, email for a newsletter.

PHI (Protected Health Information) is the data that relates a person’s identity (PII) to their health details.
E.g., email or phone number associated with diagnosis for thyroid treatment or any health condition.

Note: Collecting PHI or PII is no offense against HIPAA. (You just shouldn’t send it to Meta without hashing or scrubbing them; that’s where you’ll cross the line.)

This distinction matters a lot in marketing. If you’re running ads and only using PII, you have more flexibility over ad campaigns.

To stay compliant (and avoid costly mistakes), you need to know exactly what the law considers PHI.

Let’s break down the full list of 18 PHI identifiers and, more importantly, how each one could quietly trip up your marketing campaigns.

Deep Dive: The Full List of 18 PHI Identifiers

Here’s the official list of 18 PHI identifiers under HIPAA. If any of these are present in your data, and they’re linked to health information, you’re handling PHI.

The above image lists the 18 PHI identifiers. However, the top 7 phi identifiers that healthcare marketers encounter are: Names, geographic data, dates, phone numbers, email addresses, web URLs, IP addresses, and sometimes photos.
“One PHI identifier” is enough to get your ad accounts blocked forever. 

Impact of PHI Identifiers on Ad campaigns

Let’s break down the identifiers you’re most likely to encounter and what you should do about them.

1. Names – Name of a person or patient

Why it matters: A person’s name (PII) can be potentially collected through a health-related form or any lead form. This lead form would also be collecting information about the health-related symptoms or conditions (PHI). This gets tracked by the pixel or sent via server-side CAPI to ad platforms. This combination becomes sensitive data and results in Meta blocking your ad account.

What to do: You can collect the data. However, don’t send the form_submission events data to ad platforms because they can reveal personal info. Instead, hide or remove names from forms before sharing data with ad platforms.

Pro tip: If you are a healthcare marketer, remove your pixel; it is the silent culprit.

2. Geographic Data – Smaller Than a State

Why it matters: Sending full ZIP codes or city-level locations alongside someone’s health information might seem harmless, but it can violate Meta’s advertising policies. When combined, these data points can start to identify individuals, which crosses a privacy line that Meta takes seriously.

What to do: Follow Safe Harbor guidelines by only sharing 3-digit ZIP codes, and populations over 20,000 will be safer to use geographic data. This helps protect user privacy and keeps your tracking compliant.

Pro Tip: If you think the Safe Harbor method is time-consuming, then here’s the shortcut

3. All Elements of Dates (Except Year)

Why it matters: Sharing things like birth dates, admission dates, or appointment times might seem routine, but when paired with health-related data, they become sensitive identifiers. Meta sees this as a privacy risk, which can get your ad campaigns flagged or restricted.

What to do: To stay compliant, only collect the month and year; strip out specific dates like exact birth or appointment days from your tracking systems to avoid triggering privacy violations.

4. Phone Numbers 

Why it matters: When someone enters their phone number in a health form, it’s not just contact info anymore; it’s linked to their health condition. Sharing this prohibited data with Meta is a privacy risk, which can trigger ad restrictions or policy violations.

What to do: Always hash phone numbers (PII) before sharing them with ad platforms like Meta. And avoid auto-filling them into remarketing tools, where they can easily be linked back to health data.

Pro Tip: Don’t send Direct PII to Meta. Always hash them with SHA-256.

5. Email Addresses

Why it matters: An email alone is just PII.  When direct PII & PHI data is shared with Meta via pixel, Conversions API, or even CRM integrations, it doesn’t just flag policy violations. It triggers Meta’s automated PHI detection systems, puts your account under scrutiny, and can lead to ad rejections, learning phase disruptions, or full account disablement.
What to do: Always hash emails before adding them to custom audiences, and never send email addresses directly through pixels to keep people’s info safe.

Pro tip: Use privacy-compliant event parameters like user_id or hashed emails for retargeting, not raw contact info. Meta doesn’t need to see who the person is to optimize.

6. Social Security Numbers (SSNs)

Why it matters: Even if you’re not directly collecting Social Security Numbers, sharing them alongside marketing data is a serious no-go. It’s a major privacy violation that can cause big trouble for your campaigns and your brand’s trust.

What to do: Never keep or track Social Security Numbers in your analytics, CRM, or ad tools. Ensure that you remove them to protect your privacy.

7. Medical Record Numbers

Why it matters: Sharing patient IDs in URLs, CRM links, or API data might expose someone’s medical history. These IDs directly connect to personal health information, so it’s essential to keep them secure and out of public or marketing channels.

What to do: Before sending data to analytics or ads, remove medical record numbers and use neutral or coded IDs instead to keep things private and secure.

8. Health Plan Beneficiary Numbers

Why it matters: Even without direct details, this info can hint at someone’s health conditions or treatments just by the type of plan they have.

What to do: Make sure to remove it right when you capture leads to keep things safe.

9. Account Numbers

Why it matters: Patient portal accounts or health app IDs might seem like just usernames, but when tied to health info, they can reveal someone’s identity. That’s why it’s important to keep these IDs secure and avoid sharing them with marketing platforms.

What to do: Avoid putting account numbers in URLs, cookies, or UTM tags. Use anonymous session tracking to protect user privacy.

10. Certificate/License Numbers

Why it matters: Licenses like medical professional IDs or patient cards, such as cannabis cards, might seem like simple credentials, but they can reveal a lot about someone’s health. It’s important to handle them with care and keep them out of marketing data.

What to do: Try not to collect license or certificate IDs in your campaigns, especially when they’re linked to things like prescriptions. Keeping this info out helps protect people’s privacy and keeps your ads compliant.

11. Vehicle Identifiers and Serial Numbers

Why it matters: Sometimes license plate numbers from healthcare transport vehicles get captured by accident in photos or forms. Even though it might seem harmless, this info can be sensitive, so it’s best to avoid collecting or sharing it in any marketing materials.

What to do: Avoid tracking or saving this kind of info altogether. If it appears in images or forms, make sure to blur or hide it to keep people’s privacy safe.

12. Device Identifiers or Serial Numbers

Why it matters: Device IDs from things like wearables or health apps might seem harmless on their own, but when combined, they can reveal personal health information. That’s why this kind of data needs to be handled carefully to protect privacy and stay compliant.

What to do: Use anonymized device IDs to keep things private, and avoid mixing device data with health details in your tracking. This helps protect people’s information and keeps your marketing compliant.

13. Web URLs

Why it matters: URLs that include details like /conditions/hypertension/thank-you?name=John can accidentally reveal personal health info through the web address. It’s important to avoid putting sensitive info in URLs to keep data private and secure.

What to do: Always keep URLs free of personal info; never include health conditions or names in the parts sent to analytics or pixels. This helps protect privacy and keeps your data safe.

Pro Tip: Scrub the sensitive data, such as the condition name, from the URLs before sending them to Meta. 

14. IP Addresses

Why it matters: If someone’s IP address is recorded when they visit a health-related page, it can be considered personal health information. So, it’s important to handle IP data carefully to protect privacy.

What to do: Use IP anonymization options in tools like GA4 to keep visitor data private. Avoid storing or sharing full IP addresses in your marketing systems to protect people’s privacy.

15. Biometric Identifiers (Fingerprints, Voiceprints, etc.)

Why it matters: Some health apps let users log in using their voice or fingerprint, which feels convenient but also means very sensitive data is involved. If that biometric info gets leaked, it’s a major HIPAA violation and a huge privacy risk. So it’s crucial to keep this data locked down tight.

What to do: Steer clear of marketing that mentions biometric data, and never use this info to personalize ads. Keeping biometric details out of your campaigns helps protect privacy and stay compliant.

16. Full-Face Photos and Similar Images

Why it matters: If a photo clearly shows someone’s identity in a health-related context, it counts as personal health information. That means you need to handle it carefully to respect their privacy and stay compliant.

What to do: Always get clear permission before using testimonials with photos, and blur or hide patient images to protect their privacy.

17. Any Other Unique Identifying Number, Characteristic, or Code

Why it matters: Internal patient IDs, cookie IDs, or CRM tags might just seem like codes, but when they can be linked back to someone’s health information, they become protected health info (PHI). It’s important to treat these identifiers carefully to keep personal data secure and compliant.

What to do: Always hash internal IDs and never connect them to health data across different platforms to keep info safe and private.

18. Device or Media Serial Numbers

Why it matters: Even something like a diagnostic machine’s serial number can point back to a patient if it’s linked to their records. While it might seem harmless, this kind of info can indirectly reveal who they are, so it needs to be protected.

What to do: Make sure device or media serial numbers never show up in analytics, ad platforms, or any public reports. Keeping these details private helps protect people’s information.

Once you’ve flagged and stripped risky data, the next step is making sure what does get sent is HIPAA-safe. 

Did you know ePHI ? What?

PHI vs. ePHI

PHI (Protected Health Information)	ePHI (Electronic Protected Health Information)
Any health-related data that can identify an individual	PHI that is created, stored, transmitted, or received in electronic form
Often handled by providers, call centers, or intake teams	Often handled by marketers, devs, and operations teams through lead forms, email flows, and backend integrations
Can exist on paper, spoken, or physical records	Exists in digital tools like web forms, cloud storage, email software, and data sync platforms
Examples: Name + medical condition, appointment info, prescriptions	Examples: Form submissions, CRM entries, email campaigns, Google Sheets with user health info

As a marketer, if you’re building forms, running email campaigns, or syncing data, you’re handling ePHI. It’s not just a tech team issue.

What Data Isn’t PHI?

Not all data in a healthcare or wellness context is considered PHI, and that matters for marketers.

To qualify as PHI under HIPAA, data must be both:

1. Individually identifiable, and
2. Linked to a person’s health condition, care, or payment for care

If it doesn’t meet both criteria, it’s not PHI, meaning HIPAA restrictions don’t apply.

Here are common examples of data that aren’t considered PHI:

Data Type	Why It’s Not PHI
Anonymous website traffic data	No identifiers or health info = not tied to an individual
Ad click or page view activity	As long as it’s not linked to health conditions or identifiers
Aggregated campaign performance	Group-level metrics without personal health info don’t qualify
Non-health-related lead data	Example: Someone downloads a general wellness eBook without entering PHI
Year-only timestamps	“2025” by itself isn’t identifiable under HIPAA, but “July 28, 2025” would be
Zip codes from large regions	ZIP codes covering more than 20,000 people can be used safely in de-identified data

In short: Context matters. Data becomes PHI only when it connects a person to their health. Strip the identifiers and remove the health context? You’re outside HIPAA’s scope.

Even just one of these, when tied to a health intent, is considered PHI under HIPAA. So Meta has a concern about this data and restricts or bans the ad accounts. Many are unaware of the 18 PHI identifiers, which leads to this restriction or ban, according to HIPAA. 

You might think you’re playing it safe, but Meta doesn’t need words to understand intent. It watches behavior.

Meta can detect PHI – even if you don’t say it out loud

Meta isn’t just looking for keywords like “cancer” or “diabetes.”
It’s watching how people move through your funnel and what behavioral signal is sent.

If someone:

• Lands on a page about hormone therapy
• Fills out a form with their name and phone number
• Triggers a Lead or CompleteRegistration event

Meta reads that as, “Here’s a person who’s actively seeking medical treatment and we just got their PII.”

That’s where the compliance risk kicks in. Not because you meant to break a rule, but because the data flow looks like PHI.

If you’re collecting identifiers on health-related pages and sending them to Meta, you’re almost definitely transmitting PHI even if you’re not labeling it that way.

And Meta’s systems? 

They’re built to detect that in milliseconds.

Consider this:  If someone visits /pcos-diet and then submits a form with their email, Meta doesn’t need to see the word “PCOS” in the data. The context alone is enough for their systems to flag it as PHI. 

But here’s the tricky part:

Even if the data looks anonymous, Meta can still figure out it’s health-related. 

You have to panic if you are still giving them that context (inferred data).

Is “Inferred Data” Considered as PHI Under HIPAA (Even When Anonymized)?

Yes, it is. Let’s look at what inferred data is.

Inferred data means guessing information based on what someone does, even if they didn’t say it. It can still be sensitive, because it shows what a person might be thinking or looking for.

If a user visits a page like /diabetes-checklist, that action alone signals a potential health interest even without collecting any direct identifiers.

Meta looks for these kinds of patterns. It scans page URLs, events, UTM tags, and even button clicks to detect activity that suggests someone might be on a health journey. And under their Restricted Data Use policy, those signals can be treated just like PHI. 

Here’s what that can look like in real life:

Examples:

• Event name: submitted_thyroid_quiz
• UTM tag: utm_source=mental_health
• Button: “Book a PCOS consult”

Even without explicit identifiers, these inferred signals carry sensitive health information. That’s why marketers need to be extremely cautious about what data they share with Meta to avoid accidentally transmitting PHI.  

Because inferred data can reveal sensitive health information, Meta makes sure that the marketers stick to the HIPAA marketing and follow strict measures to handle it carefully.

How Meta Treats Inferred Data Under Its Policy 

Meta’s Restricted Data Use (RDU) policy goes beyond just protecting obvious personal information like names, emails, or phone numbers. It also covers inferred data, meaning any user action that could suggest or hint at a health condition.

Quick Real-World Scenario: How Meta Flags Inferred Health Data

A visitor lands on your site and scrolls through the /mental-health-guide page.

They originally came from a link tagged with utm_source=thyroid_quiz. After browsing, they click the CTA: “Book a diabetes plan.”

To you, it’s just standard engagement. To Meta, it’s a pattern of behavior that suggests a health condition.

Even without a name or email, these actions, page paths, UTM tags, and button clicks can be enough for Meta to classify the session as sensitive under its Restricted Data Use (RDU) policy.

Why? These actions can allow Meta’s systems to infer something about the user’s health status. And under their policy, inferred health data is still restricted.

So even if you think you’re in the clear because you didn’t send any direct identifiers, you could still be in violation if the event reveals too much about someone’s health journey. Meta treats this kind of data seriously, and so should your tracking setup to keep up with your HIPAA-compliant marketing

Common Mistakes to Avoid (From Data Collection to Activation)

Even the best campaigns can get flagged or penalized if your data setup leaks PHI, and you may not even be aware of it. Here are the four most common (and costly) mistakes health marketers make:

Mistake 1: Incomplete or Generic Consent
Using a single vague checkbox for consent.

Why it’s a mistake:
Generic consent no longer meets privacy standards. Meta and regulators expect specific, transparent consent including what data is collected, how it’s stored, and how it will be used. Without that, you risk non-compliance, ad rejection, and broken user trust.

Mistake 2: Using PHI in UTM Parameters

Why This Is a Mistake

UTM parameters are included in URLs and are publicly accessible. Embedding protected health information (PHI) like health conditions or personal identifiers in UTMs exposes sensitive data to anyone who can see the URL, including platforms like Meta. This can trigger automated data filters and violate privacy regulations such as HIPAA, putting your marketing campaigns at risk of non-compliance and possible penalties.

Example: utm_campaign=asthma_leads or utm_content=pcos_quiz_submit may trigger Meta’s data filters.

Mistake 3: Retargeting Without Privacy-Safe Segmentation

Why This Is a Mistake

Retargeting users based on condition-specific interactions without proper consent risks exposing sensitive health data, violating HIPAA, and platform rules. Keeping clear, privacy-safe audience segments protects compliance and user privacy.

Mistake 4: Sending Identifiers via CAPI or Pixel

Why This Is a Mistake

Passing names, emails, phone numbers, or health-related data through Meta’s CAPI or Pixel can violate Restricted Data Use (RDU) policies and HIPAA regulations. These backend events often go unnoticed but still transmit sensitive information. Always audit your custom events to ensure PHI isn’t being sent unintentionally and to stay HIPAA compliant

How to De-Identify Data & Stay HIPAA-Compliant

There are two HIPAA-approved ways to de-identify data: the Safe Harbor Method and the Expert Determination

1. Safe Harbor Method
   Remove or generalize all 18 HIPAA identifiers, no names, emails, IPs, zip codes, or condition references. Once stripped, the data isn’t PHI.
   Eg:
   • Remove emails or phone numbers before syncing leads to ad platforms.
   • Scrub health terms from URLs to avoid condition-based inferences.
   • Rename pixel events to remove health conditions.
2. Expert Determination
   A privacy expert reviews your data and confirms the risk of re-identification is very low. Useful for complex data sets.

Image source

A secret spill, a 2-in-1 solution: There is another way, where your data is hashed, but you don’t need an expert, no matter how complex your data can be.

It’s hectic, right? You search for this and that, here and there, but no improvement. 

The Easy Method: Using 1PD Ops to De-identify PHI

Ad platforms are tightening restrictions, but you can stay compliant and keep results strong with 1PD Ops (First-Party Data Ops). Here’s how:

Mask PHI Before Data Leaves Your Site

Scraping health terms from URLs and blocking form data sounds technical, but it’s where most accidental PHI leaks begin. Platforms like Meta read your page URLs and event payloads so if “/thyroid-plan?email=s***@gmail.com” slips through, your account’s at risk. 1PD Ops sanitizes that data before it’s ever shared, so you don’t get flagged for something you didn’t even realize you were sending.

Use Clear Event Names

Meta doesn’t like event names like PCOD_lead or appointment_diabetes, and it will throttle (or block) your campaigns if it sees them. With 1PD Ops, you can swap those out for clean, neutral labels-APT-1024, form_submit, stage3_conversion without losing tracking fidelity. Same insights, no PHI footprint.

Replace PII with Anonymous IDs

Passing emails or phone numbers to ad platforms is the fastest way to trigger a HIPAA violation. Instead, 1PD Ops uses hashed IDs to track behavior while keeping real identities out of the equation. You still get attribution and optimization, just minus the legal headache.

Clean and Control Meta CAPI Payloads

Meta’s CAPI is powerful but dangerous if you don’t control what you’re sending. If your payload includes health terms, emails, or diagnostic hints, your account could get flagged or even banned. 1PD Ops gives you total control: pass only high-intent, stripped-down event data that performs without crossing compliance lines.

Build Targetable Segments with Behavioral Data

You don’t need health info to build smart retargeting. Instead of creating audiences based on “PCOS_leads” or quiz results, 1PD Ops lets you segment based on actions—like “visited 3+ pages” or “clicked CTA twice.” You get intent-rich signals that are safe, scalable, and 100% HIPAA-compliant.

Result: Compliant data flows, protected ad accounts, and better ROAS.

For a detailed guide on the above steps, click here

No more Chaos, No more Clicks. Just toggle, and Rest

Many marketers are still struggling to make their tracking HIPAA-compliant, and as a result, they either risk violations or stop tracking altogether. 

But the solution isn’t to quit. It’s to track smarter.

With 1PD Ops, you get compliant performance tracking without compromising results. That means transforming event names and stripping out health-related context before data is sent to ad platforms. 

It means building consent frameworks directly into your funnel so you know exactly what data you’re collecting, why, and how it’s used. 

And when it comes to retargeting. Stop using individual health actions. 

Instead, use safe, aggregated data to build privacy-compliant retargeting and lookalike audiences that still drive performance.

I’ve worked with brands that cleaned up their funnels by removing PHI from URLs, transforming events, and updating consent forms. 

Not only did they stay compliant, but their ad performance improved with no sudden account bans or flagged campaigns.

Conclusion: Why HIPAA-Compliant Marketing is a Growth Lever

Compliance isn’t the enemy of performance; it’s the key to keeping your campaigns running and scaling in 2025. The health brands that are growing fastest aren’t ignoring HIPAA; they’re outpacing competitors by solving it early. If you get your data house in order now, you’ll be ready for whatever comes next.

The health brands growing in 2025 are following HIPAA marketing rules to stay HIPAA-compliant. They’re outpacing competitors by solving it early by understanding what is considered PHI under HIPAA.

Book a free consultation call with us, not only to stay compliant with HIPAA, but also compliant with any privacy laws can be heading in the near future.

Try 1PD Ops for free, guard your campaigns performance, not just for today, years together.