Posted on 
February 14, 2023

What Is Protected Health Information (PHI)? Ending The Confusion

A quick note before you read: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.

What did it take to get most of the healthcare world asking questions about why things like Facebook Ads and Google Analytics might put them at risk of HIPAA compliance? Try a December 2022 HIPAA update advising against Google and Facebook tracking technologies and the FTC serving notice with their $1.5M fine against GoodRx.

And two of the biggest questions marketing and IT leaders have are what exactly is PHI and what's the issue with tracking technologies. We covered why Facebook's and Google's tracking technologies aren't HIPAA-compliant in this post, but today we're going to focus on understanding PHI.

What Constitutes PHI?

The U.S. Department of Health and Human Services (HHS) says the following about the HIPAA Privacy Rule:

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
"Individually identifiable health information" is information, including demographic data, that relates to:
  • the individual's past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

For something to be considered PHI, two things must exist:

  • At least one of the 18 HIPAA identifiers has to exist.
  • There is some health information.

One way for that PHI to result in a HIPAA violation:

  • Sharing an identifier combined with health information with a non-compliant destination like Google Analytics, Google Ads, or Facebook Ads.
An identifier + health information shared with a non-HIPAA compliant destination puts providers at risk.

Let's break this down further by discussing each of the three components.

18 HIPAA Identifiers

A HIPAA identifier is something that can reveal the identity of an individual. I know this is Ray, so I can start associating things with Ray.

HHS provides a complete list of what they consider as things that could individually identify a person. It's no surprise that something like name, email, and phone number make that list, but other not-so-obvious things can reveal an individual's identity. Let's cover a few of those.

Geographic subdivisions smaller than a state

An individual's full address would serve as an identifier, but so would ZIP codes on their own if:

  • The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people.

AND

  • The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000

IP Address

The Meta Pixel and the tracking technologies that power Google Analytics and Google Ads sit "client-side," which means they are loaded on the physical website. Client-side loading of tracking technologies allows them to intercept personally identifiable information like a visitor's IP address.

Dates

Dates directly related to an individual, like birth date, admission date, and discharge date, are considered a way to identify an individual.

Health Information

The other component required to have data considered to be PHI is health information about the individual. The HIPAA Privacy Rule calls out three categories of Health Information:

  • Physical health or mental health or condition
  • Provision of health care to the individual
  • Payment for the provision of healthcare

Let's cover examples of each of these categories.

Health or condition

A diagnosis of type 2 diabetes or a torn medial collateral ligament would be considered health information. Tracking technologies on a hospital website could capture page visits or videos viewed that could be inferred to determine a visitor's physical health or condition.

Provision of healthcare

A scheduled doctor's appointment or medication prescription would indicate that healthcare is being provided.

Payment for healthcare

Any invoice, bill, or attempt to obtain payment for provisioned healthcare services would be considered health information.

PHI According to a Healthcare Lawyer

If you're still not sure about PHI, this explanation from Dori Cain, a Healthcare Privacy lawyer at Faegre Drinker should help:

If you need more, read Dori's answers to many commonly asked healthcare privacy questions here: Ask a Healthcare Lawyer: HIPAA Compliance for Healthcare Marketers.

Destinations That Aren't HIPAA-Compliant

This last component is where healthcare providers risk violations when running tracking technologies on their websites.

Suppose you have PHI (identifier + health information about the individual) and send it to a non-compliant destination (like Google or Facebook). In that case, this information sharing has already resulted in class action lawsuits against Meta and several hospitals and the $1.5M FTC fine against GoodRx.

Since Google and Meta don't and won't sign BAAs, it's impossible to use them in a HIPAA-compliant way. Or is it?

Learn more: A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites

A Way to Make Your Ad Platforms HIPAA-Compliant

Digital advertising spend in healthcare is projected to be $18B in 2023. And Facebook and Google are two of the most powerful performance marketing channels. Shutting them off and redistributing the advertising spend will take years of strategic efforts for marketing teams at healthcare providers.

That's where Freshpaint comes in. Freshpaint makes ad platforms and the analytics used to measure their performance HIPAA compliant while giving them the minimum data they need to drive growth effectively. You can learn more about Freshpaint here.

Ray Mina
Head of Marketing
view All Posts
Featured Posts
HIPAA COMPLIANCE
Direct Response, Remarketing, and Programmatic Advertising: The HIPAA Pitfalls You Didn't Know
HIPAA COMPLIANCE
IP Addresses and HIPAA Compliance: Unpacking the Risks for Healthcare Websites
USE CASES
Don't Remove It! Make Google Analytics HIPAA Compliant Instead
HIPAA COMPLIANCE
Staying HIPAA-Compliant: How to Detect Web Tracking Risks on Your Website
HIPAA COMPLIANCE
A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites
HIPAA COMPLIANCE
Cut the Jargon: A Look at the FTC-HHS Privacy Warning and What It Means For Your Healthcare Org
USE CASES
How To Make Facebook Ads HIPAA Compliant and Still Get Conversion Tracking
USE CASES
What HHS Has to Say About Tracking Technologies in Latest HIPAA Guidance
GROWTH & STARTUPS
Two Chairs Journey to a HIPAA Compliant Growth Stack
Stay Connected
Tweet this post: 
© 2024 Perfalytics, Inc.
Crafted in San Francisco