What Is Considered PHI Under HIPAA? A Guide to Staying HIPAA-Compliant

Today’s marketing funnels collect more user data than ever; think forms, tracking pixels, CRMs, and retargeting tools. But here’s the catch: if you send this data to platforms like Meta (Facebook) without filtering out sensitive info, you could be violating user privacy and HIPAA rules. 

That’s where things get tricky for marketers.

Most of the marketers forgot to close the loop, as they are not clear about what PHI under HIPAA is. They don’t know how to make the marketing funnel HIPAA-compliant.

Let’s start with the very basic understanding of HIPAA, what is considered PHI under HIPAA, and what is not.

What is HIPAA? Why It Matters for Marketers?

Source: The HIPAA Journal; Healthcare data breaches as of October 24, 2024

“In 2024, an average of 758,000 protected health records were exposed to HIPAA violations every single day at a cost exceeding $9.8 million per breach.”

HIPAA stands for the Health Insurance Portability and Accountability Act, passed back in 1996, mainly to protect people’s health information and make sure it stays private. Originally, HIPAA was about hospitals, clinics, and insurance companies.

But as digital marketing grew, the law’s reach started to include anyone handling health-related data, including marketers.

Why is HIPAA suddenly a marketer’s problem?

For years, marketers could run campaigns for health brands without worrying much about HIPAA. But now, with platforms like Meta under pressure (after facing hundreds of lawsuits) to protect user privacy, the rules have changed.

Meta’s new rules mean marketers must avoid sharing Protected Health Information (PHI) and direct Personal Identifier Information (PII) (without hashing) for ad optimization.

This means no sharing or leveraging any individually identifiable health data within campaigns to stay compliant and avoid account bans or ad disapprovals.

It’s not just about compliance anymore;  it’s about keeping your campaigns live.

The shift: HIPAA is not a barrier for performance marketers

HIPAA isn’t meant to block you from running high-performing campaigns. It protects people’s privacy and keeps it discreet.

The typical mindset of marketers in healthcare is that it is difficult or nearly impossible to track valuable user behavior and send these signals to Meta for optimization for better conversion.

In reality, that is not true. You can still track and send high-quality signals to Meta. But remember not to cross the HIPAA/Meta guidelines, which are not sharing PHI or Direct PII.

The 3 places marketers unknowingly violate HIPAA

1. Form submissions: Collecting health info (even just “Are you pregnant?”) and sending it to your CRM or ad platform.

2. URL parameters: Passing health-related terms or identifiers in the URL, which pixels can pick up.

3. Retargeting events: Using pixel events or CAPI (Conversions API) to retarget users based on health-related actions.

If you’re sending health context or identifiers, you’re at risk even if you think you’ve anonymized the data.

Note: Meta’s CAPI, your CRM integrations, and retargeting audiences are all being watched more closely. 

(So let’s get the microscopic lens on.)

What is considered PHI under HIPAA?

Let’s look into what is happening. 

Not only are the medical records considered PHI

you don’t need to be collecting medical records to be handling PHI.

If your Meta pixel is firing on a landing page about GLP-1s, TRT, lap testing, or even mental health coaching, and it includes something like an email or phone number, Meta sees that as a problem.

So… What is PHI for HIPAA?

PHI (Protected Health Information) = Any health-related info + something that identifies the person. When health data of a person, like (Asthma, thoracic), is combined with their identities like (Name, email, phone number). 

Here are 7 commonly used identifiers that get flagged fastest by platforms like Meta.

• Name
• Email address
• Phone number
• Full address (or ZIP code + city)
• Dates like birthdate or appointment time
• Insurance or patient ID numbers
• Any unique user ID (like fbp, click_id, etc.)

Even just one of these, when tied to a health intent, is considered PHI under HIPAA. So Meta has a concern about this data and restricts or bans the ad accounts. Many are unaware of the 18 PHI identifiers, which leads to this restriction or ban, according to HIPAA. 

You might think you’re playing it safe, but Meta doesn’t need words to understand intent. It watches behavior.

Meta can detect PHI – even if you don’t say it out loud

Meta isn’t just looking for keywords like “cancer” or “diabetes.”
It’s watching how people move through your funnel and what behavioral signal is sent.

If someone:

• Lands on a page about hormone therapy
• Fills out a form with their name and phone number
• Triggers a Lead or CompleteRegistration event

Meta reads that as, “Here’s a person who’s actively seeking medical treatment and we just got their PII.”

That’s where the compliance risk kicks in. Not because you meant to break a rule, but because the data flow looks like PHI.

If you’re collecting identifiers on health-related pages and sending them to Meta, you’re almost definitely transmitting PHI even if you’re not labeling it that way.

And Meta’s systems? 

They’re built to detect that in milliseconds.

Consider this:  If someone visits /pcos-diet and then submits a form with their email, Meta doesn’t need to see the word “PCOS” in the data. The context alone is enough for their systems to flag it as PHI. 

But here’s the tricky part:

Even if the data looks anonymous, Meta can still figure out it’s health-related. 

You have to panic if you are still giving them that context (inferred data).

Is “Inferred Data” Considered as PHI Under HIPAA (Even When Anonymized)?

Yes, it is. Let’s look at what inferred data is.

Inferred data means guessing information based on what someone does, even if they didn’t say it. It can still be sensitive, because it shows what a person might be thinking or looking for.

If a user visits a page like /diabetes-checklist, that action alone signals a potential health interest even without collecting any direct identifiers.

Meta looks for these kinds of patterns. It scans page URLs, events, UTM tags, and even button clicks to detect activity that suggests someone might be on a health journey. And under their Restricted Data Use policy, those signals can be treated just like PHI. 

Here’s what that can look like in real life:

Examples:

• Event name: submitted_thyroid_quiz
• UTM tag: utm_source=mental_health
• Button: “Book a PCOS consult”

Even without explicit identifiers, these inferred signals carry sensitive health information. That’s why marketers need to be extremely cautious about what data they share with Meta to avoid accidentally transmitting PHI.  

Because inferred data can reveal sensitive health information, Meta makes sure that the marketers stick to the HIPAA marketing and follow strict measures to handle it carefully.

How Meta Treats Inferred Data Under Its Policy 

Meta’s Restricted Data Use (RDU) policy goes beyond just protecting obvious personal information like names, emails, or phone numbers. It also covers inferred data, meaning any user action that could suggest or hint at a health condition.

Quick Real-World Scenario: How Meta Flags Inferred Health Data

A visitor lands on your site and scrolls through the /mental-health-guide page.

They originally came from a link tagged with utm_source=thyroid_quiz. After browsing, they click the CTA: “Book a diabetes plan.”

To you, it’s just standard engagement. To Meta, it’s a pattern of behavior that suggests a health condition.

Even without a name or email, these actions, page paths, UTM tags, and button clicks can be enough for Meta to classify the session as sensitive under its Restricted Data Use (RDU) policy.

Why? These actions can allow Meta’s systems to infer something about the user’s health status. And under their policy, inferred health data is still restricted.

So even if you think you’re in the clear because you didn’t send any direct identifiers, you could still be in violation if the event reveals too much about someone’s health journey. Meta treats this kind of data seriously, and so should your tracking setup to keep up with your HIPAA-compliant marketing

Common Mistakes to Avoid (From Data Collection to Activation)

Even the best campaigns can get flagged or penalized if your data setup leaks PHI, and you may not even be aware of it. Here are the four most common (and costly) mistakes health marketers make:

Mistake 1: Incomplete or Generic Consent
Using a single vague checkbox for consent.

Why it’s a mistake:
Generic consent no longer meets privacy standards. Meta and regulators expect specific, transparent consent including what data is collected, how it’s stored, and how it will be used. Without that, you risk non-compliance, ad rejection, and broken user trust.

Mistake 2: Using PHI in UTM Parameters

Why This Is a Mistake

UTM parameters are included in URLs and are publicly accessible. Embedding protected health information (PHI) like health conditions or personal identifiers in UTMs exposes sensitive data to anyone who can see the URL, including platforms like Meta. This can trigger automated data filters and violate privacy regulations such as HIPAA, putting your marketing campaigns at risk of non-compliance and possible penalties.

Example: utm_campaign=asthma_leads or utm_content=pcos_quiz_submit may trigger Meta’s data filters.

Mistake 3: Retargeting Without Privacy-Safe Segmentation

Why This Is a Mistake

Retargeting users based on condition-specific interactions without proper consent risks exposing sensitive health data, violating HIPAA, and platform rules. Keeping clear, privacy-safe audience segments protects compliance and user privacy.

Mistake 4: Sending Identifiers via CAPI or Pixel

Why This Is a Mistake

Passing names, emails, phone numbers, or health-related data through Meta’s CAPI or Pixel can violate Restricted Data Use (RDU) policies and HIPAA regulations. These backend events often go unnoticed but still transmit sensitive information. Always audit your custom events to ensure PHI isn’t being sent unintentionally and to stay HIPAA compliant

It’s hectic, right? You search for this and that, here and there, but no improvement. 

No more Chaos, No more Clicks. Just toggle, and Rest

Many marketers are still struggling to make their tracking HIPAA-compliant, and as a result, they either risk violations or stop tracking altogether. 

But the solution isn’t to quit. It’s to track smarter.

With 1PD Ops, you get compliant performance tracking without compromising results. That means transforming event names and stripping out health-related context before data is sent to ad platforms. 

It means building consent frameworks directly into your funnel so you know exactly what data you’re collecting, why, and how it’s used. 

And when it comes to retargeting. Stop using individual health actions. 

Instead, use safe, aggregated data to build privacy-compliant retargeting and lookalike audiences that still drive performance.

Scenario: I’ve worked with brands that cleaned up their funnels by removing PHI from URLs, transforming events, and updating consent forms. 

Not only did they stay compliant, but their ad performance improved with no sudden account bans or flagged campaigns.

Conclusion: Why HIPAA-Compliant Marketing is a Growth Lever

Compliance isn’t the enemy of performance; it’s the key to keeping your campaigns running and scaling in 2025. The health brands that are growing fastest aren’t ignoring HIPAA; they’re outpacing competitors by solving it early. If you get your data house in order now, you’ll be ready for whatever comes next.

The health brands growing in 2025 are following HIPAA marketing rules to stay HIPAA-compliant. They’re outpacing competitors by solving it early by understanding what is considered PHI under HIPAA.