Skip to main content
Article

De-Identified vs Anonymized vs Aggregated: What Healthcare Marketers Can Legally Send to Ad Platforms

Healthcare marketers can legally send de-identified data to ad platforms without a Business Associate Agreement, but only if that data meets HIPAA's strict de-identification standards. The terms "de-identified," "anonymized," and "aggregated" describe three distinct data states with different legal thresholds, different technical requirements, and different practical uses in marketing. Conflating them creates compliance risk. This article, current as of July 2026, defines each term precisely and explains which data can leave your environment and under what conditions.

TL;DR

  • De-identified data under HIPAA must satisfy either Safe Harbor (remove 18 identifiers) or Expert Determination; no other method qualifies.
  • HIPAA does not use the term "anonymized"; it is a GDPR concept with no legal standing in U.S. healthcare privacy law.
  • Aggregated data (counts, averages, percentages across groups) is the safest category to share with ad platforms because it cannot identify individuals even if combined with other datasets.
  • Sending hashed emails, IP addresses, or device IDs to Google or Meta does NOT constitute de-identification under HIPAA Safe Harbor.
  • A BAA does not make data sending legal; it makes a vendor accountable for safeguarding PHI that you are permitted to share with them.
  • HHS OCR's December 2022 tracking technology guidance treats any data collected on a healthcare website in an authenticated session as presumptively PHI.

Why These Distinctions Matter for Healthcare Marketing

The FTC enforcement actions against BetterHelp, GoodRx, and Cerebral between 2023 and 2024 all centered on one issue: health data left the covered entity's control without proper de-identification or valid authorization. In each case, the organizations believed (or claimed to believe) that the data they sent to advertising platforms was sufficiently stripped of identifying information. It was not. Healthcare marketers who understand the precise legal boundaries of de-identified data in HIPAA marketing contexts avoid this exact pattern of violation.

De-Identified Data Under HIPAA: The Legal Standard

De-identification is defined in the HIPAA Privacy Rule at 45 CFR 164.514(a)-(b). Health information is de-identified only when there is no reasonable basis to believe the information can identify an individual. HIPAA provides exactly two methods to achieve this status.

Method 1: Safe Harbor De-Identification (164.514(b)(2))

Safe Harbor de-identification for marketing requires removing all 18 categories of identifiers from the dataset. The covered entity must also have no actual knowledge that the remaining information could identify an individual.

  • Names
  • Geographic data smaller than a state (including ZIP codes with populations under 20,000)
  • All dates (except year) related to an individual, including birth date, admission date, discharge date, and death date
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

The final category ("any other unique identifying number") is the one that catches marketers most often. Hashed email addresses, advertising click IDs, browser fingerprints, and proprietary user IDs all fall here. Safe Harbor de-identification in marketing means these must be removed entirely, not merely hashed or encrypted.

Method 2: Expert Determination (164.514(b)(1))

A qualified statistical or scientific expert applies accepted methods to determine that the risk of identifying any individual is "very small." The expert must document their methods and results. This path allows more data to remain in the set but requires formal engagement with a credentialed professional and ongoing validation as data volumes change.

Once data is properly de-identified by either method, it is no longer PHI. It is not subject to HIPAA's use and disclosure restrictions. You can send it to Google Ads, Meta, or any other platform without a BAA and without patient authorization.

Anonymized Data: A GDPR Term Without HIPAA Standing

"Anonymized" data has no definition in HIPAA. The term originates from the EU General Data Protection Regulation (GDPR), where anonymized data is information that has been irreversibly altered so that the data subject can no longer be identified directly or indirectly. Under GDPR, truly anonymized data falls outside the regulation entirely.

Healthcare marketers operating in the United States should not use "anonymized" as a compliance standard for HIPAA purposes. Using the term in internal documentation, vendor contracts, or marketing materials creates ambiguity. If your legal counsel or vendor says data has been "anonymized," ask whether it meets HIPAA Safe Harbor or Expert Determination. If neither applies, it is not de-identified under U.S. law, regardless of what label it carries.

State privacy laws such as the Indiana Consumer Data Protection Act and the Pennsylvania Consumer Data Privacy Bill use their own definitions of de-identified data, which may differ from HIPAA's. Healthcare entities subject to both HIPAA and state law must satisfy the stricter standard.

Aggregated Data: The Safest Category for Ad Platform Reporting

Aggregated data consists of statistical summaries computed across groups of individuals where no single person's data can be isolated. Examples include: "412 users visited the knee replacement page this week," "conversion rate for the cardiology campaign was 3.2%," or "average time on the appointment scheduler was 47 seconds."

Aggregated data is safe to share with ad platforms because it was never individual-level data to begin with (or has been mathematically reduced so that individual records cannot be reconstructed). The key threshold: if you cannot work backward from the aggregate figure to any single person's health information, even when combined with other available datasets, the data is functionally non-identifiable.

However, beware of small-cell sizes. An aggregate statistic drawn from only two or three individuals (for example, "2 patients in ZIP 83701 scheduled bariatric consultations") can become identifying when combined with other public data. HHS recommends suppressing cells with counts below a minimum threshold, often five or fewer, before releasing aggregate data.

What Healthcare Marketers Can Actually Send to Ad Platforms

Data you CAN send without a BAA or authorization

  • Properly de-identified data meeting Safe Harbor or Expert Determination
  • Aggregated conversion counts with sufficiently large cell sizes
  • Non-health contextual data (page category tags like "orthopedics" without user-level linkage)
  • Modeled or synthetic conversion signals derived from aggregate patterns

Data you CANNOT send without authorization (even with a BAA)

  • Hashed email addresses collected in a patient portal or appointment flow
  • IP addresses captured on pages that indicate a health condition
  • Device IDs or advertising IDs associated with healthcare interactions
  • Click IDs (gclid, fbclid) tied to health-related page visits
  • Any user-level event data from authenticated sessions on healthcare websites

A BAA with an ad platform (which Google and Meta do not sign for their advertising products) would not authorize you to send this data anyway. A BAA only permits disclosure to a business associate performing a function on behalf of the covered entity. Advertising optimization is not a HIPAA-covered function.

How Consent Management Interacts with De-Identification

Patient consent (or HIPAA-compliant authorization) can permit uses of identifiable data that would otherwise be prohibited. But consent does not transform identified data into de-identified data. These are separate legal mechanisms. Consent authorizes a use of PHI. De-identification removes the PHI status entirely.

Healthcare marketers need both: a properly configured consent management platform to handle situations where you do have authorization, and a technical de-identification or aggregation pipeline for situations where you do not. Using only one approach leaves gaps.

Common Mistakes Healthcare Marketers Make

Mistake 1: Treating hashing as de-identification

Hashing an email address does not remove it as an identifier under Safe Harbor. The 18th identifier category covers "any other unique identifying number, characteristic, or code." A SHA-256 hash of an email is a unique code derived from an identifier. It is still an identifier.

Mistake 2: Assuming server-side tracking is automatically compliant

Server-side tag management moves data processing off the browser, but the data itself may still be PHI. If your server-side pipeline sends a Meta Conversions API event containing a hashed email, IP address, and the fact that the user completed a "depression screening" form, you have disclosed PHI to Meta regardless of where the processing occurred.

Mistake 3: Conflating "no PII" with "de-identified under HIPAA"

Ad-tech definitions of Personally Identifiable Information (PII) are narrower than HIPAA's definition of Protected Health Information. An IP address is not "PII" under many ad-tech frameworks. It is explicitly one of HIPAA's 18 Safe Harbor identifiers. Healthcare marketers must apply the HIPAA standard, not the ad platform's standard.

Mistake 4: Believing a BAA with your CRM or email platform covers ad tracking

A BAA with HubSpot's enterprise tier or a HIPAA-compliant email marketing platform covers those vendors' handling of your PHI. It does not extend to third-party pixels, tags, or SDK calls embedded within those platforms that send data to Google or Meta. Each data flow must be evaluated independently.

Mistake 5: Relying on ad platform "health category restrictions" as a compliance mechanism

Google and Meta restrict targeting based on health categories. This is a platform policy, not a HIPAA compliance mechanism. Even if Meta blocks you from creating a "cancer patients" audience, the act of sending identifiable health data to Meta is itself the HIPAA violation. The violation occurs at transmission, not at targeting.

A Practical Framework: Three Questions Before Sending Any Data

  1. Is this data individual-level or aggregate? If aggregate with sufficient cell sizes, it is generally safe to share.
  2. If individual-level, does it meet Safe Harbor or Expert Determination? Review all 18 identifiers. If any remain (including hashed versions), the data is not de-identified.
  3. If not de-identified, do I have valid HIPAA authorization from the individual AND a BAA with the recipient? Both are required. If either is missing, the data cannot leave your environment.

Most healthcare marketing use cases fail at question 2. The practical solution is to process conversions and marketing signals through a system that strips or aggregates data before it reaches any ad platform.

How Curve Handles This Problem

Curve's architecture processes healthcare marketing data server-side, strips the 18 Safe Harbor identifiers before any signal reaches Google, Meta, or Microsoft, and delivers conversion data in a form that satisfies HIPAA de-identification requirements. This means healthcare marketers can optimize campaigns, measure ROAS, and run A/B tests without transmitting PHI to ad platforms. Curve signs a BAA covering its own handling of data within the processing pipeline, and ensures what exits the pipeline to ad platforms is no longer PHI. Session replay, form analytics, and attribution reporting stay within the HIPAA-compliant environment. If your current stack cannot answer the three questions above with confidence, Curve is built specifically for this problem.

Frequently Asked Questions

Can I send hashed emails to Google or Meta if I have a BAA with my tracking vendor?

No. A BAA with your tracking vendor covers that vendor's handling of PHI. It does not authorize disclosure of PHI (including hashed emails, which remain identifiers under Safe Harbor) to Google or Meta. Google and Meta do not sign BAAs for their advertising products, and advertising is not a covered healthcare operation under HIPAA.

Is anonymized data the same as de-identified data under HIPAA?

No. "Anonymized" is a GDPR term with no legal definition in HIPAA. HIPAA recognizes only "de-identified" data, which must meet either Safe Harbor (removal of 18 identifiers) or Expert Determination. If a vendor tells you data is "anonymized," ask which HIPAA de-identification method was applied.

Does the HIPAA Safe Harbor method allow me to keep ZIP codes in my marketing data?

Only the first three digits of a ZIP code may be retained, and only if the geographic unit formed by combining all ZIP codes with those three digits contains more than 20,000 people. For the 17 three-digit ZIP code prefixes that cover populations under 20,000, even the first three digits must be removed.

If I only send conversion counts (not user data) to an ad platform, is that HIPAA compliant?

Generally yes, provided the conversion counts are true aggregates that cannot be traced to individuals. A conversion count of "1" for a specific campaign targeting a narrow geographic area and health condition could theoretically identify a person. Use minimum cell-size thresholds (typically 5 or more) and avoid combining conversion data with granular targeting parameters that could narrow the group to identifiable individuals.

Does Washington's My Health My Data Act change what counts as de-identified?

Yes, for entities subject to that law. Washington's MHMDA defines "consumer health data" broadly and applies to non-HIPAA-covered entities. Its de-identification standard requires that data not be capable of being re-identified by any reasonable means. Healthcare organizations subject to both HIPAA and MHMDA should apply whichever standard is more restrictive for each data element.

Can I use Google Analytics 4 on my healthcare website if I de-identify the data first?

The problem is sequencing. Google Analytics 4 collects data (including IP addresses, device identifiers, and page paths indicating health conditions) at the point of page load, before you can de-identify it. By the time data reaches Google's servers, PHI may already have been disclosed. Server-side implementations that strip identifiers before sending measurement data to Google can resolve this, but a default GA4 client-side installation on a healthcare website does not meet Safe Harbor requirements.

Stay Compliant. Scale Confidently.

Join healthcare innovators who trust Curve for HIPAA-compliant ad tracking.Launch in hours, not months. Your growth stack, now HIPAA-safe.