Skip to content

Healthcare Marketing: Staying HIPAA Compliant With Online Forms

10 min read

If you have forms on your website or a call center that tracks consumer healthcare information requests, the collected marketing data may, or may not, be considered protected health information (PHI). If it is PHI, you may need to reconsider whether it can be used to create personalized marketing campaigns, even with the consumer’s permission.

Healthcare marketers should be justifiably concerned about online consumer data privacy and how they chose to use collected data. Websites have been collecting consumer information online for more than 28 years and healthcare marketers have followed the master guideline...the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. In the past the definitions were clear, but at present, the line is blurred. We are all asking...What can we do to stay compliant, and how should we approach PII data collection?


HIPAA compliance has to be top of mind for marketers when working with patient or healthcare consumer data. If a healthcare consumer submits information, agrees to the approved terms/use of their submitted information, and the information is PII (personal identifiable information) and not PHI (protected healthcare information), a healthcare organization can identify their interests and provide valuable information to the consumer in exchange for their PII. The rule — do not cross the HIPAA line. But where is the line? When does PII become PHI?

We’ve compiled some great sources and checklists that help improve your understanding and confidence in where your organization can comfortably draw the line.

It all starts with the data collection process. Whether online, via phone, or in person, understanding the combination of fields of information you collect and how that information is used determines whether it is PII or PHI.

PII and tracking data from analytics platforms, such as Google Analytics, help marketers determine the success of marketing campaigns and their placements. Without it, agencies and marketing departments have significant blindspots that impair their ability to measure effectiveness in ways they have been able to do in the recent past. We are all looking for cookieless solutions and first-party data resources where possible. How we use that data to optimize a campaign or build a personalized nurturing channel for lead-generation programs is being closely watched by legal groups who ask if we need to redefine and repurpose how we currently use consumer data so that more protection is in place for consumer privacy.


While this is still a gray area, healthcare organizations are building interim policies for consumer data collection and use. It is time to dust off the Privacy and Data Usage Policies, review your tracking tools, audit your online forms and revisit HIPAA and data protocols. Waiting for federal or state laws to firm up their definitions is not an option for us. By taking the good faith safeguards listed in this document, you are well on your way to mitigating legal risk or investigative bodies questioning your due diligence.


If you haven’t done this in the past, we suggest you start with visually building out your healthcare consumers’ pathways to data collection, data security, and future data use. The following diagram is a simple example that shows the critical touch points you should check to safeguard your data process.

journey graphic

Example of a simple PII collection process. Key data collection, security, and use are identified. Evaluate and determine if they are HIPAA-compliant and PHI-proof.


Recently, legal groups across the U.S. have been challenging healthcare systems and their online practices of consumer data collection. They are trying to make the case that consumers interested in receiving general information on healthcare topics or sign-ups for events or screenings in exchange for non-clinical PII (Personal Identifiable Information) should be considered identifiable PHIs (Protected Healthcare Information) and the consumer is saying that they MAY be associated with a disease or health condition based on their interest in the topic, putting their name and information into a category that applies to HIPAA (Protected Healthcare Information). This applies to forms on a website and spills into ad and website tracking tools and forms completed on paper – any way you can collect and place that information into a database for marketing use is being carefully reviewed. There are several cases where healthcare systems and healthcare data brokers are being pursued, so it is worth the time and effort to take preventative measures.


Consumers should have confidence in a healthcare organization’s proper use of lead generation or marketing use of information submitted on a form. This applies to a written or digital form or information collected over the phone.

  1. Inform the consumer what their submitted information is being used for in every capacity.

  2. Always allow the consumer to “Opt Out” of unwanted communications or third-party information.

  3. Never use, share or sell information outside of the use identified in #1.

  4. Secure the consumer’s submitted information by ensuring privacy measures are taken and encrypted messages are passed to a secured database. (Always look for reputable icons and make sure you can click through to their source.)

  5. Follow form creation best practices designed to convert and boost UX.


  1. Learn the letters. Learn and share the official definitions of HIPAA, PII and PHI. This will go a long way to staying vigilant when reviewing forms.

  2. Stay informed. Stay attuned to credible and official sources who share the latest developments on HIPAA compliance such as the AHA (American Hospital Association) and HHS (Department of Health and Human Services).

  3. Follow the big dogs. The large healthcare systems are tracking this closely and updating their forms to stay in what they consider a safe zone away from any implied PHI.

  4. Audit your website forms. Work with an organization or partner who can take a knowledgeable, unbiased approach to evaluate forms. It’s a good time to take inventory; check the form paths, form security, encryption, and database information safety; and review accessibility compliance as well as identify any PHI red flags. Lock down that data and map the paths from your forms to your databases, CRM system algorithms, tracking tools, cookies, pixels, and marketing use of that data.

woman typing on laptop


Health information, by itself without the 18 identifiers, is not considered PHI. For example, a data set of vital signs does not constitute protected health information. However, if the vital signs data set includes medical record numbers, the data is considered PHI and must be protected since it contains an identifier."

– UC Berkeley Research 2024

All of the following are PII identifiers BUT when combined with a piece of personal health information (such as a diagnosed medical condition, medication, procedure or treatment), they represent PHI. The data, bundled together, makes it possible to identify a person AND that person's health information.

  1. Names

  2. All geographical data smaller than a state

  3. Dates (other than year) directly related to an individual

  4. Telephone numbers

  5. Fax numbers

  6. Email addresses

  7. Social Security numbers

  8. Medical record numbers

  9. Health insurance plan beneficiary numbers

  10. Account numbers

  11. Certificate/license numbers

  12. Vehicle identifiers and serial numbers including license plates

  13. Device identifiers and serial numbers

  14. Web URLs

  15. Internet protocol (IP) addresses

  16. Biometric identifiers (i.e., retinal scan, fingerprints, etc.)

  17. Full-face photos and comparable images

  18. Any unique identifying number, characteristic or code

Source: The HIPAA Compliance Guide


According to The HIPAA Journal, all healthcare organizations should perform 6 annual audits or assessments to ensure compliance. This is a good safety measure for any organization that manages patient and prospect healthcare data. 

  1. Security Risk Assessment

  2. Privacy Standards Audit (Not required for BAs)

  3. HITECH Subtitle D Privacy Audit

  4. Security Standards Audit

  5. Device Audit

  6. Physical Site Audit

If your marketing department is responsible for the content on your websites, you should take on the Physical Site Audit (websites) as a standard annual review. For more information, see The HIPAA Guide for audit recommendations.


man and woman high fiving


Your partners should be able to help you with educational information about how this affects your current marketing program. This is particularly important if you have lead generation campaigns in market, email marketing programs, or haven’t audited your campaign landing pages with forms. Also, ask about how this changes your tracking data.  With G4 Google Analytics in full swing, all marketers are making big changes in how they should accurately read their data story.  Until the blurry areas of what is considered PHI become clearer and there is a broader acceptance of the new definition, you – and your healthcare system – will need to make some interim changes to ensure you are compliant AND able to obtain useful consumer data.

Consider conversations on the following:

  1. What does a cookieless option or first-party data option look like for my digital ecosystem’s tracking?

  2. What changes are recommended in tracking and reporting?

  3. How do I tell this data story to executives without overwhelming them with the technical nuances?

  4. Can you audit my landing pages and forms online for HIPAA compliance and best UX standards? While you are in there, can you check for accessibility compliance?

  5. Can you map my consumer’s experience from first eyes on marketing and let us know where we can make improvements?

  6. Are there materials I can share with my marketing team that will help them become more familiar with the changes and challenges in PII and PHI data collection?

  7. Do I have a tech partner who can audit our site for security purposes and ensure that captures and any databases are up-to-date and secure?

  8. How should I adjust my campaigns that are currently in market?

  9. Do you have any materials I can share with executive colleagues that can help them and help the marketing department, communicate changes in the legal environment?

  10. When and where should our legal department be involved?


  1. Audit the forms on your website and review “Opt-in” protocols with your call center when consumers ask for topic information, events, screenings or anything promoted under marketing. 

  2. Bring in a subject expert to confirm all your website and form-building security protocols are working and up-to-date on your website. 

  3.  Make sure your privacy policy and SSL securities are present and easily identifiable. 

  4. Check your state’s exemptions on data privacy laws

  5. Check your forms and marketing emails for “Opt-in/Opt-out” language with self-selection available.

  6. Keep a close eye on the HIPAA Compliance Resources listed in this document to stay current on updates or changes.


If you have any questions about website forms, security protocols, healthcare marketing strategies, lead generation landing pages, or tracking best practices, we’d be happy to help. Please contact SVP, Director of Marketing, Erin Spalding ( to request more information on these topics or join a conversation.

Please note: The information above is provided to help organizations understand the new healthcare data privacy landscape and is not intended to be legal advice. Consult legal counsel about any case-specific applications or concerns. Legal opinions are constantly evolving, and organizations should consult with experts or reliable HIPAA resources for any new updates following the date of this publication.

Sign up:Read our thoughts

You don’t need superpowers. The subscribe button will do the trick.