The Health Insurance Portability and Accountability Act (HIPAA, Pub.L. 104-191) applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their Business Associates. Any CDP or CDW that handles Protected Health Information (PHI) on behalf of a covered entity is a Business Associate and must sign a Business Associate Agreement (BAA) with the covered entity before receiving any PHI.
What constitutes PHI. PHI is individually identifiable health information held or transmitted by a covered entity or Business Associate. The 18 identifiers defined by the Safe Harbor method include: name, geographic subdivision below state, dates (birthdate, admission, discharge, death), phone number, email address, Social Security number, medical record number, IP address, device identifiers, biometric identifiers, and full-face photographs. Any of these combined with health information creates PHI.
HIPAA Marketing Rule. PHI may not be used for marketing communications without the individual's explicit written authorization — with narrow exceptions for treatment-purpose communications, case management, and appointment reminders (where only a nominal payment is made to the communicating covered entity). The implication: a CDP that uses diagnosis codes, prescription history, or claims data to segment patients for a commercial health product campaign is violating HIPAA unless each targeted patient has individually authorized that use.
Architectural implication 1 — Business Associate Agreements. Every vendor in the CDP stack that touches PHI must sign a BAA. This includes the CDP vendor (packaged or composable), the CDW (Snowflake, BigQuery, Databricks), the reverse-ETL tool (Hightouch, Census), the email platform (if PHI is used in targeting), and any paid-media audience destination (Meta, Google). Most major CDW and CDP vendors offer BAAs; ad networks (Meta, Google) do not — this creates a hard architectural constraint: PHI-derived audience segments cannot flow to standard paid-media activation destinations without de-identification.
Architectural implication 2 — De-identification as the activation gateway. The standard CDP pattern for healthcare marketing is de-identification before the marketing pipeline. Two HIPAA-approved methods: (1) Safe Harbor: remove all 18 specified identifiers — the resulting dataset is no longer PHI and can flow to paid-media destinations. (2) Expert Determination: a qualified statistician certifies that the risk of re-identification is very small. In composable stacks, de-identification is a CDW transformation layer — a downstream "marketing copy" of the profile with all 18 Safe Harbor identifiers removed; the original PHI-containing table remains in a separate, BAA-governed schema. In packaged CDPs with a BAA, de-identification must be a configurable dataset output, not a manual step.
Architectural implication 3 — Appointment reminders and care-gap outreach. The HIPAA Marketing Rule permits communications for treatment purposes — appointment reminders, prescription refill reminders, care-gap interventions (e.g., a reminder to a diabetic patient to schedule an A1c check) — without written authorization if no third party is paid for the communication and the communication relates to treatment, case management, or care coordination. CDPs in healthcare can support these outreach motions without HIPAA Marketing Rule restrictions, but they still require BAA coverage for the CDP vendor.
Where the agent should surface this. For any organization with org-dim.industry.healthcare, ask: "Does your CDP receive any individually identifiable health data — diagnosis codes, prescription history, claims, or appointment records? If so, every vendor in your stack must sign a BAA, and any paid-media audience activation must use de-identified data only."
2026 regulatory landscape note. The HIPAA Reproductive Health Privacy Rule 2024 — which would have expanded PHI marketing restrictions for reproductive health data — was vacated by the Northern District of Texas on June 18, 2025. Its NPP compliance deadline (February 16, 2026) has passed without effect. Healthcare CDPs that built additional consent layers for reproductive health data should confirm with counsel whether those layers remain operationally required under state law (several state statutes independently protect reproductive health data). The core HIPAA Privacy Rule marketing restrictions described in this node (written authorization required; narrow treatment-purpose exceptions) remain in full effect unchanged. Written marketing authorizations must now explicitly disclose: (a) whether any remuneration is received for the marketing communication, and (b) that the information may be re-disclosed on social media (HIPAA Journal, 2026).
Confidence note: Sources are secondary — CDP Institute trade publication, Hightouch vendor-domain healthcare page, Rock Health investor-adjacent analysis, and HIPAA Journal independent trade publication (2026). Primary HHS regulatory text (HHS.gov HIPAA for Professionals) is queued (see web-refresh-queue.yaml). Confidence will rise to ≥0.90 when primary regulatory source is fetched.