Kareo and PatientPop are now Tebra. Learn more


What is protected health information? Quick guide for healthcare providers

Providers must be careful not to reveal protected health information when marketing their practices online.

Physicians guide on PHI: protected health information

Although healthcare providers are aware of the importance of engaging with patients online, many shy away from digital healthcare marketing for fear of accidentally violating the Health Insurance Portability and Accountability Act, or HIPAA. In fact, roughly 38 percent of providers claim that they do not respond to patient feedback because they are concerned about HIPAA compliance, according to PatientPop data.

A HIPAA violation can mean fines, sanctions, and even loss of license in extreme cases. In 2018, the U.S. Department of Health and Human Services (HHS) collected a record $28 million in HIPAA penalties. The agency recently announced, however, that it would set annual limits on fines based on culpability, meaning someone who was completely neglectful of HIPAA compliance would receive a larger fine than someone who has a process in place to abide by the law.

Regardless, providers must take special care never to reveal a patient’s protected health information, or PHI, without the patient’s written consent. In this blog post, we outline the varying types of protected health information to help you feel more confident about marketing your practice online while protecting your patients’ PHI..

Types of protected health information

Protected health information refers to anything that could reveal the identity of a patient. Although some types of PHI are fairly obvious — such as a patient’s name — others may be easier to accidentally reveal — such as a patient’s city or even county of residence. When writing a blog or social media post, take special care to never reveal the following health information.

Patient’s name or nickname

Using a patient’s name or nickname is a PHI HIPAA violation. In addition to names and nicknames, using a patient’s social media handle or anything related to the patient’s naming identity is exposing a patient’s PHI and is forbidden.

Check out: How to engage on social media with HIPAA in mind

Address or geographical location

HIPAA requires healthcare workers to withhold almost all information about the address of a patient to prevent revealing crucial PHI of a patient. Privacy laws also forbid the disclosing of any geographic information about a patient more detailed than the state-level, including a patient’s city and county.


HIPAA protects almost all dates related to an individual and their healthcare treatment, including date and time of a medical appointment and the patient’s age. Privacy laws forbid you from revealing any of the following patient PHI:

  • Birthdate
  • Date of death
  • Date of appointment
  • Admission date
  • Discharge date
  • The exact age of a patient

Important numbers

Protected health information includes a patient’s contact information and any other number that could identify them. Here are a few important numbers that are considered part of a patient’s PHI that you should watch out for:

  • Telephone numbers
  • Fax number
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number

You might like: 5 medical marketing ideas to outpace the competition

Vehicle or device serial information

Revealing a patient’s license plate number is a clear HIPAA violation of a patient’s PHI, but so is identifying any other information about their vehicle including color, make, or model. Be sure not to describe the vehicle in any way that might be identifiable to others. In a small town, any information about a vehicle could reveal a patient’s identity.

IP address, URLs, and social media

IP addresses, URLs, and social media handles are considered PHI and are protected under HIPAA. Make sure not to tag your patients or mention their usernames when sharing original content or commenting on other posts. You also want to take special care not to share their website information or their personal email addresses.

Fingerprint or voiceprint

Protected health information also includes a patient’s fingerprint and voiceprint. Even if you never share a patient’s face or name, you can’t use their voice in any promotional or other materials. HIPAA protects voices because they could identify patients. (Think of Gilbert Gottfried.)


When promoting your healthcare practice, you may want to feature photos of your patients on your website, but a patient’s image is also PHI and is protected under HIPAA. HIPAA states that photographic images violate a patient’s privacy rights. This includes any photo of a patient — from a headshot to a picture of a hand or leg.

Anything else that compromises a patient’s identity

With enough detective work, most biographical information could reveal someone’s identity. Do not disclose a patient’s occupation, marital status, or information about their family, income, or race.

Additional tips for HIPAA PHI compliance

Most healthcare providers would never intentionally reveal protected health information, but it’s important to be mindful of anything you’re sharing online. If you’re taking a picture of your desk or going live on social media account, it’s possible you might have protected health information visible in the background.

If you want to include your patients on any of your practice’s healthcare marketing materials, it’s important to speak to an attorney who can help create a set of best practices, including consent forms and retention of photographic rights. A patient must give you their written consent via the proper channels.

Although this post is intended to help healthcare providers, it should not replace the advice of legal counsel. Always consult your attorney or legal services team if you have doubts about whether your digital marketing efforts could violate HIPAA PHI or otherwise put your healthcare practice at risk.

Interested in responding to online reviews or building a social media presence without violating HIPAA? Download “The doctor’s guide to HIPAA-compliant digital marketing” for help.

Dominate your market

See how you compare to other practices in your local area and specialty.
PatientPop is the leader in practice growth with the only all-in-one solution that empowers healthcare providers to improve every digital touchpoint of the patient journey. As experts in the healthcare technology space, PatientPop makes it easy for providers to thrive in the consumerization of healthcare and promote their practice online, attract patients, and retain them for life.

The combined power of Kareo and PatientPop

As leaders in clinical, financial, and practice growth technology, Kareo and PatientPop have joined forces as Tebra to support the connected practice of the future and modernize every step of the patient journey.

Learn more