The legal definition

HIPAA defines PHI as individually identifiable health information that's created or received by a covered entity (or a business associate working for one) and that relates to a person's past, present, or future health, healthcare, or payment for healthcare.

That definition has two halves. The first half is "identifiable" — there has to be something that ties the data to a specific person. The second half is "health information" — it has to relate to someone's health, treatment, or payment.

For most of HIPAA's history, "identifiable" meant a name or medical record number. After 2022, OCR took the position that an IP address can be the identifier — particularly when paired with browser cookies that ad platforms already have. And "health information" includes things like the URL of a page about a specific condition.

Why an IP address counts as identifying

A typical IP address is dynamic and not, on its own, enough to identify a specific person. But in practice, ad platforms have spent years matching IP addresses to logged-in users. When Facebook's pixel fires on your hospital's website, Facebook receives the IP address and a `_fbp` cookie that often ties back to a real Facebook account. That's how ad targeting works.

OCR's position is that the practical reality matters. If the data is identifiable to the recipient — Meta, Google, TikTok — it counts as identifiable for HIPAA purposes, even if the hospital itself can't easily identify the visitor.

Why a URL counts as health information

A URL like `/conditions/breast-cancer/screening` tells a third party three things: which hospital, what the visitor was researching, and what action they were considering. That's health information about the visitor.

The same logic applies to:

  • Find-a-doctor results filtered by specialty
  • Appointment scheduling pages with the reason for visit pre-filled
  • Symptom-checker results
  • Patient-portal pages showing test results, medication lists, or upcoming appointments
  • Search queries on hospital sites for specific conditions or providers

The carve-out from *AHA v. Becerra*

In June 2024, a federal court in Texas vacated part of the OCR bulletin. The American Hospital Association argued OCR had overreached. The court agreed in one specific way: it held that OCR couldn't treat IP addresses as PHI on "unauthenticated public webpages" where the visitor's intent was ambiguous.

The judge's example was someone visiting a generic webpage about diabetes — that person could be a patient, a family member, a researcher, a journalist, or just someone curious. The court said you couldn't presume the visit was about the visitor's own health.

The carve-out is narrower than most healthcare marketing teams realize. It doesn't apply to:

  • Pages about specific treatments or providers where the URL implies intent ("schedule an appointment with Dr. Smith for cardiology")
  • Find-a-doctor pages where the visitor entered specific criteria
  • Scheduling flows
  • Anything inside a logged-in portal
  • Mobile apps where the user is signed in

OCR's position on those still stands.

What this means for your website

Three things are clearly PHI on a healthcare website. First, anything inside a patient portal — names, appointments, lab results, messages, prescription refills, billing. Second, anything that combines an identifier (IP, cookie, login) with a specific clinical context (condition, doctor, treatment, scheduling). Third, anything explicitly identifying — names in URLs, email addresses in confirmation links, member IDs in query strings.

What's gray. Generic content marketing about general health topics. Educational articles. The hospital's "About Us" page. The donations page. A federal court has said these aren't PHI even with a tracking pixel, as long as the visitor's intent isn't clear.

What's still being litigated. Pages that fall in between — like a "Why Choose Us" page that mentions specific clinical services, or a "Patient Stories" page with testimonials. Practices defending these cases now argue they're educational. Plaintiffs argue they're commercial.

If you're not sure whether a page on your site contains PHI, the safest assumption is that it does. The downside of treating an educational page as PHI is annoyance. The downside of treating a clinical page as marketing is a lawsuit.