The Intake

Insights for those starting, managing, and growing independent healthcare practices

What is protected health information? A primer for healthcare providers

Providers must be careful not to reveal these 9 types of protected health information when marketing their practices online.

Patient speaks to doctor asking is age hipaa protected

At a Glance

  • Protected health information (PHI) refers to anything that could reveal the identity of a patient. Healthcare providers must not reveal a patient’s PHI without their written consent.
  • When marketing healthcare services online, providers should avoid revealing any details that could compromise patient privacy and violate HIPAA regulations.
  • If providers want to include patient stories or photos in marketing materials, they must obtain the patient’s written consent using proper legal forms and procedures. It’s best to consult an attorney to ensure compliance with HIPAA and other privacy regulations.

Although healthcare providers know the importance of engaging with patients online, many shy away from digital healthcare marketing for fear of accidentally violating the Health Insurance Portability and Accountability Act, or HIPAA. 

The impact of HIPAA (protected patient information) is far-reaching. It protects a broad set of information about patients that ranges from their name to health status, medical history, physical appearance, and more. Patient age is also HIPAA-protected. 

When it comes to your practice’s healthcare marketing, accidentally disclosing patients' protected health information (PHI) is a top HIPAA concern. According to The HIPAA Journal, 2 of the top 10 most common HIPAA violations involve revealing PHI.

Private practice is competitive, and you need a healthcare marketing strategy that includes responding to online reviews and engaging patients on social media. However, providers must take special care never to reveal PHI without patients’ written consent.

Below, we outline 9 types of PHI to help you feel more confident about marketing your practice online while safeguarding your patients’ PHI.

What are the types of protected health information?

Protected health information refers to anything that could reveal the identity of a patient. Although some types of PHI are fairly obvious — such as a patient’s name — others may be easier to accidentally reveal, such as a patient’s city or even county of residence.

Although some types of PHI are fairly obvious, others may be easier to accidentally reveal. ”

When creating marketing materials, writing a blog, or posting to social media, ensure you avoid revealing the following information. 

List of Protected Patient Data

1. Patient’s name or nickname

Using a patient’s name or nickname is a PHI HIPAA violation. In addition to names and nicknames, using a patient’s social media handle or anything related to the patient’s naming identity exposes a patient’s PHI and is forbidden.

Optimize Operations

2. Address or geographical location

HIPAA requires healthcare workers to withhold almost all information about the address of a patient to prevent revealing crucial PHI of a patient. Privacy laws also forbid the disclosing of any geographic information about a patient more detailed than the state level, including a patient’s city and county.

3. Patient dates

Is age HIPAA-protected?" is a common question in the healthcare industry, and the answer is yes. HIPAA protects almost all dates related to an individual and their healthcare treatment, including the date and time of a medical appointment and the patient’s age. 

Privacy laws forbid you from revealing any of the following patient PHI:

  • Birthdate
  • Date of death
  • Date of appointment
  • Admission date
  • Discharge date
  • The exact age of a patient

4. Important patient numbers

Protected health information includes a patient’s contact information and any other number that could identify them. Here are a few important numbers that are considered part of a patient’s PHI that you should watch out for:

  • Telephone numbers
  • Fax number
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number

5. Vehicle or device serial information

Revealing a patient’s license plate number is a clear HIPAA violation of a patient’s PHI, but so is identifying any other information about their vehicle, including color, make, or model. Be sure not to describe the vehicle in any way that might be identifiable to others. In a small town, any information about a vehicle could reveal a patient’s identity.

Download the report

6. IP addresses, URLs, and social media

IP addresses, URLs, and social media handles are considered PHI and are protected under HIPAA. Make sure not to tag your patients or mention their usernames when sharing original content or commenting on other posts.

Make sure not to tag your patients or mention their usernames when sharing original content or commenting on posts. ”

You also want to take special care not to share their website information or their personal email addresses.

7. Fingerprint or voiceprint

Protected health information also includes a patient’s fingerprint and voiceprint. Even if you never share a patient’s face or name, you can’t use their voice in promotional or other materials. Voices are unique indicators of who we are, and HIPAA protects voices because they could identify patients. 

8. Patient photos

Naturally, you’d want to feature photos of your happy, satisfied patients on your website, but a patient’s image is PHI and protected under HIPAA, which states that photographic images violate patient privacy rights.

This is certainly true for photos of patients' faces but also remains true for snapshots of other parts of the body. When promoting your healthcare practice, you may want to feature photos of your patients on your website, but a patient’s image is also PHI and protected under HIPAA.

HIPAA states that photographic images violate a patient’s privacy rights. This includes any photo of a patient — from a headshot to a picture of a hand or leg.

9. Anything else that compromises a patient’s identity

With enough detective work, most biographical information could reveal someone’s identity. Do not disclose a patient’s occupation, marital status, or information about their family, income, or race.

Additional tips for HIPAA PHI compliance

Most healthcare providers would never intentionally reveal protected health information, but it’s essential to be mindful of anything you share online.

Take, for example, the case of a private practice that has a close relationship with a long-time patient. For an upcoming milestone birthday, the practice posts a photo of the front office staff with this patient as an Instagram story and writes, “Happy 40th birthday to our dear friend!” Since age is HIPAA-protected, this would be a violation. 

If you want to include your patients in any of your marketing materials, be sure to speak to an attorney who can help create a set of best practices. ”

Or consider a provider who is trying to be more active on social media as part of their digital marketing strategy. They decided to start a Facebook Live from their office desk but didn’t realize that protected health information was visible in the background. This, too, would be a HIPAA violation.

If you want to include your patients in any of your practice’s healthcare marketing materials, be sure to speak to an attorney who can help create a set of best practices, including consent forms and retention of photographic rights. A patient must give you their written consent via the proper channels.

Although this post is intended to help healthcare providers, it should not replace the advice of legal counsel. Always consult your attorney or legal services team if you have doubts about whether your digital marketing efforts could violate HIPAA-protected PHI or otherwise put your healthcare practice at risk.

Get the free guide
Unlock the secrets to building a profitable and sustainable healthcare practice with our eBook, "How to Optimize Operations and Increase Margins as You Grow."
Optimize Your Practice for Profitable Growth
Patient Perspectives Report

You Might Also Be Interested In

Learn how to create a seamless patient experience that increases loyalty and reduces churn, while providing personalized care that drives practice growth in Tebra’s free guide to optimizing your practice.

Subscribe to The Intake:
A weekly check-up for your independent practice

Catherine Tansey, business writer and reporter

Catherine Tansey is a business and healthcare writer and reporter. She has close to a decade of experience writing and reporting on small business best practices, emerging technology, market trends, and more. Catherine has several family members who own private practices in mental health services, dentistry, and chiropractics, and she’s seen firsthand the pride and privilege practice owners feel to be able to support their communities.

Get expert tips, guides, and valuable insights for your healthcare practice