Which information counts as PHI under HIPAA, the 18 identifiers, and what that means when your team texts patients.
Get started for freeSchedule a demo →PHI (Protected Health Information) is any health information that can identify a patient, held or transmitted by a covered entity or its business associates. HIPAA lists 18 identifiers, including names, phone numbers, email addresses, and dates, that make health information identifiable. A text that pairs a patient's name or number with anything about their care contains PHI. BloomText protects PHI with a signed BAA on every plan, encryption in transit and at rest, access controls, and audit logs.
PHI is individually identifiable health information about a person's past, present, or future health, the care they receive, or how that care is paid for. It is protected when a covered entity or business associate holds or transmits it, in any form: paper, spoken, or electronic. The HHS Privacy Rule summary has the full definition.
PHI is broader than charts and lab results. Appointment reminders, billing records, referral notes, voicemails, and text messages all contain PHI when they connect an identifiable person to their care.
The identity side matters as much as the health side. If information could point back to a specific patient, it is identifiable. That is where the 18 identifiers come in. Vendors that handle PHI for you must sign a Business Associate Agreement first.
HIPAA's Privacy Rule lists 18 identifiers that make health information identifiable. The list comes from the safe harbor de-identification standard in 45 CFR 164.514, explained in the HHS de-identification guidance. Remove all 18, and the data stops being PHI as long as no one could still identify the patient from what remains.
| Identifier | Everyday example |
|---|---|
| 1. Names | A patient's first or last name in a message |
| 2. Geographic data smaller than a state | Street address, city, county, ZIP code |
| 3. Dates related to an individual (except year) | Birth date, admission date, appointment date |
| 4. Phone numbers | The mobile number you text |
| 5. Fax numbers | A fax line on a referral form |
| 6. Email addresses | A patient's personal email |
| 7. Social Security numbers | SSN on an intake form |
| 8. Medical record numbers | The MRN on a chart |
| 9. Health plan beneficiary numbers | An insurance member ID |
| 10. Account numbers | A billing account number |
| 11. Certificate or license numbers | A driver's license number |
| 12. Vehicle identifiers | License plate or VIN |
| 13. Device identifiers and serial numbers | A pacemaker or pump serial number |
| 14. Web URLs | A personal website in a record |
| 15. IP addresses | The address a patient portal login came from |
| 16. Biometric identifiers | Fingerprints or voice prints |
| 17. Full-face photos and comparable images | A profile photo in a chart |
| 18. Any other unique identifying number, characteristic, or code | An internal patient code |
A text does not need a diagnosis to contain PHI. "Hi Maria, we will see you Tuesday at 2" sent from a clinic pairs a name and phone number with the fact that Maria receives care there. That is PHI.
Standard SMS gives PHI no protection. Messages travel unencrypted, sit on personal phones, and phone carriers won't sign a BAA. Once a patient detail leaves in a plain text, your organization cannot retrieve it, restrict it, or prove who saw it.
This is why HIPAA compliant texting exists as a category. The HIPAA compliant texting guide walks through the full requirements: a signed BAA, encryption, access controls, and audit logs.
BloomText includes a signed Business Associate Agreement on every plan, including the free plan. That puts the legal foundation in place before the first message.
Patients receive secure links over normal SMS and reply from any phone, with no app download. The conversation itself stays encrypted in transit and at rest on BloomText's servers instead of sitting in an unprotected SMS thread.
Admins control who can access patient conversations and can revoke access the same day someone leaves. Every message is retained and exportable for audit. Read receipts on secure messages show who has seen each message, so your team knows a time-sensitive update was picked up.
Last verified July 8, 2026.