HIPAA PHI — Healthcare CDP Marketing Restrictions

constraint.hipaa-phi-cdp-healthcare ↗

Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities (providers, health plans, clearinghouses) and their Business Associates may not use Protected Health Information (PHI) for marketing purposes without explicit written authorization from the individual, with narrow exceptions. CDPs operated by or for covered entities are Business Associates; vendor BAAs are required. The standard architectural mitigation is HIPAA de-identification — removing the 18 Safe Harbor identifiers — before PHI-derived data enters marketing pipelines or activation destinations.