What Is PHI (Protected Health Information)?

Which information counts as PHI under HIPAA, the 18 identifiers, and what that means when your team texts patients.

Get started for freeSchedule a demo →

PHI (Protected Health Information) is any health information that can identify a patient, held or transmitted by a covered entity or its business associates. HIPAA lists 18 identifiers, including names, phone numbers, email addresses, and dates, that make health information identifiable. A text that pairs a patient's name or number with anything about their care contains PHI. BloomText protects PHI with a signed BAA on every plan, encryption in transit and at rest, access controls, and audit logs.

What counts as protected health information

PHI is individually identifiable health information about a person's past, present, or future health, the care they receive, or how that care is paid for. It is protected when a covered entity or business associate holds or transmits it, in any form: paper, spoken, or electronic. The HHS Privacy Rule summary has the full definition.

PHI is broader than charts and lab results. Appointment reminders, billing records, referral notes, voicemails, and text messages all contain PHI when they connect an identifiable person to their care.

The identity side matters as much as the health side. If information could point back to a specific patient, it is identifiable. That is where the 18 identifiers come in. Vendors that handle PHI for you must sign a Business Associate Agreement first.

The 18 HIPAA identifiers

HIPAA's Privacy Rule lists 18 identifiers that make health information identifiable. The list comes from the safe harbor de-identification standard in 45 CFR 164.514, explained in the HHS de-identification guidance. Remove all 18, and the data stops being PHI as long as no one could still identify the patient from what remains.

The 18 HIPAA identifiers with everyday clinic examples
IdentifierEveryday example
1. NamesA patient's first or last name in a message
2. Geographic data smaller than a stateStreet address, city, county, ZIP code
3. Dates related to an individual (except year)Birth date, admission date, appointment date
4. Phone numbersThe mobile number you text
5. Fax numbersA fax line on a referral form
6. Email addressesA patient's personal email
7. Social Security numbersSSN on an intake form
8. Medical record numbersThe MRN on a chart
9. Health plan beneficiary numbersAn insurance member ID
10. Account numbersA billing account number
11. Certificate or license numbersA driver's license number
12. Vehicle identifiersLicense plate or VIN
13. Device identifiers and serial numbersA pacemaker or pump serial number
14. Web URLsA personal website in a record
15. IP addressesThe address a patient portal login came from
16. Biometric identifiersFingerprints or voice prints
17. Full-face photos and comparable imagesA profile photo in a chart
18. Any other unique identifying number, characteristic, or codeAn internal patient code

PHI in text messages

A text does not need a diagnosis to contain PHI. "Hi Maria, we will see you Tuesday at 2" sent from a clinic pairs a name and phone number with the fact that Maria receives care there. That is PHI.

Standard SMS gives PHI no protection. Messages travel unencrypted, sit on personal phones, and phone carriers won't sign a BAA. Once a patient detail leaves in a plain text, your organization cannot retrieve it, restrict it, or prove who saw it.

This is why HIPAA compliant texting exists as a category. The HIPAA compliant texting guide walks through the full requirements: a signed BAA, encryption, access controls, and audit logs.

How BloomText protects PHI

BloomText includes a signed Business Associate Agreement on every plan, including the free plan. That puts the legal foundation in place before the first message.

Patients receive secure links over normal SMS and reply from any phone, with no app download. The conversation itself stays encrypted in transit and at rest on BloomText's servers instead of sitting in an unprotected SMS thread.

Admins control who can access patient conversations and can revoke access the same day someone leaves. Every message is retained and exportable for audit. Read receipts on secure messages show who has seen each message, so your team knows a time-sensitive update was picked up.

Frequently Asked Questions

What does PHI stand for?
PHI stands for Protected Health Information. It is health information that can identify a patient, held or transmitted by a HIPAA covered entity or its business associates, in any form: electronic, paper, or spoken.
What is the difference between PHI and PII?
PII (personally identifiable information) is any data that identifies a person in any context. PHI is identifiable information tied to health, care, or payment for care, and held by a covered entity or business associate. All PHI involves PII, but PII alone is not PHI.
Is a patient's phone number PHI?
Yes, when a covered entity holds it. Phone numbers are one of the 18 HIPAA identifiers. A phone number in your practice's records connects a person to the care your practice provides, which makes it PHI.
Is a text message PHI?
A text message contains PHI when it connects an identifiable patient to their care. An appointment reminder with a patient's name qualifies. That is why the platform carrying the message needs a BAA, encryption, and audit logs.
What is ePHI?
ePHI is PHI in electronic form: messages, emails, records in an EHR, or files on a server. The HIPAA Security Rule sets the safeguards for ePHI, including access controls, encryption, and audit logging.
When does health information stop being PHI?
When it is de-identified. Under the safe harbor method, all 18 identifiers are removed and the organization has no reason to believe the remaining data could identify anyone. An expert determination method is the alternative. De-identified data is no longer restricted by HIPAA.
Can I text patients under HIPAA at all?
Yes. HIPAA does not ban texting. It requires safeguards: a signed BAA with the platform, encryption, access controls, and audit logs. BloomText meets these requirements on every plan, and patients reply over normal SMS without downloading an app.

Sources

Last verified July 8, 2026.

  1. HHS: Summary of the HIPAA Privacy Rule
  2. HHS: Guidance on De-identification of Protected Health Information
  3. eCFR: 45 CFR 164.514, Other requirements relating to uses and disclosures of PHI