You should avoid transmitting PHI via Pusher Beams. When using Pusher Beams in this way, Pusher is neither a business associate its activities do not “involve the use or disclosure of protected health information”), nor a conduit (because its activities do not “transport … protected health information”).

To achieve this, you can instead transmit opaque identifiers of PHI, which recipients can then use to fetch the PHI from your system. For example, suppose you are building a postal prescription service, which needs to display a realtime list of pending orders in each pharmacy. You can implement this using Pusher Beams. Give each order an opaque ID, and transmit this ID to the client(s) via push notification. When the client receives a new order ID, it should then use it to fetch the order details from your server (using your existing auth mechanisms).