Identifying PHI in text messages

Identifying PHI in text messages is an essential skill for healthcare professionals and any stakeholders involved in patient care or health data. Healthcare providers can mitigate the risk of non-compliance with HIPAA and other privacy regulations by understanding what qualifies as PHI and following best practices for secure communication.

What is PHI?

Protected health information (PHI) refers to any information that can identify an individual and pertains to their health status, healthcare treatment, or payment for healthcare. In the U.S., PHI is governed by the Health Insurance Portability and Accountability Act (HIPAA), which outlines strict rules for the storage, transmission, and protection of sensitive health information.

Under HIPAA, PHI includes clinical data and personal identifiers that could be used to trace back to an individual, creating a broad spectrum of information that needs to be protected.

Categories of PHI

There are two broad categories of PHI that healthcare entities should be aware of when analyzing text messages: identifiable information and health-related information. Data typically needs to include one or both of these categories to be considered PHI.

Identifiable information

Identifiable information is any data that can be used to uniquely identify a person. In a healthcare context, this includes:

• Names: Full names, initials, or even parts of names that could be used to infer someone's identity.
• Addresses: Street addresses, city names, and ZIP codes. Any geographic identifiers below the state level can be PHI.
• Contact information: Phone numbers, email addresses, fax numbers.
• Dates: Birth dates, dates of service, admission or discharge dates, and death dates.
• Social Security Numbers: These are highly sensitive and often the first thing healthcare providers check for PHI.
• Medical record numbers: These include numbers linked to an individual's health records.
• Account numbers: Bank account, insurance policy, and other financial identifiers.
• Biometric identifiers: Fingerprints, retina scans, or any physiological or behavioral characteristics that can identify someone.
• Full-face photographs or comparable images: These include pictures where a person can be easily identified.

Any of these identifiers in a text message could automatically qualify the message as containing PHI if it’s connected with health information.

Go deeper: What are the 18 PHI identifiers?

Health-related information

This category includes details about an individual’s health status, healthcare treatment, or healthcare payments. Specifically, this can involve:

• Health condition: Information about a person’s physical or mental health, such as diagnoses (e.g., “The patient was diagnosed with diabetes”).
• Healthcare services: Treatments, surgeries, medications, lab tests, or any specific medical service provided to an individual.
• Payment information: Payment details for healthcare services, including any insurance-related information that can be connected to an individual.

If either of these health-related categories is linked with identifiable information, it’s considered PHI and subject to HIPAA regulations.

Identifying PHI in text messages

To identify whether a text message contains PHI, follow these steps:

Look for identifiers

These could be as straightforward as someone's full name, but even partial identifiers like initials, room numbers, or dates of treatment can be considered PHI when combined with other information.

Example:

• “Patient J. Smith was admitted yesterday for chest pain.”
• In this message, we have the patient’s initials and a date, which could potentially identify an individual when linked with other details.
  
  

Check for health information

Even if the text message doesn’t mention a patient’s full name or social security number, it could still include health-related information that, when combined with other data, qualifies as PHI.

Example:

• “The patient had a CT scan today, and the results were concerning.”
• This message contains information about a healthcare service (CT scan) and a possible health condition, which qualifies as PHI.
  
  

Assess context

Context matters in determining whether data in a text message qualifies as PHI. A name or phone number alone, in the absence of any health-related data, would not be considered PHI. However, the combination of health information and an identifier would trigger HIPAA rules.

Example:

• “John was released from the hospital this morning after his knee surgery.”
• The combination of John’s first name, the hospital discharge, and the surgery reveals identifiable and health-related information.
  
  

Consider implied information

Sometimes, the health information in a message isn’t explicitly stated, but it can be inferred. If a message talks about a healthcare provider, a treatment, or even mentions something as innocuous as a follow-up appointment, it could still be classified as PHI.

Example:

• “Let me know if you’re picking up the medications from Dr. Smith’s office today.”
• Here, there is no direct mention of a health condition, but by referencing medications and a specific doctor’s office, one can infer health-related information, potentially making this PHI.
  
  

Practical examples of PHI in text messages

Example 1: Non-PHI

“I’ll call you after work.”

This message is completely devoid of personal identifiers or health-related information, so it is not PHI.

Example 2: PHI

“Maria Fernandez needs to reschedule her chemotherapy session for tomorrow.”

The full name and the reference to chemotherapy (a health-related service) make this message PHI.

Example 3: Implied PHI

“He had his dialysis at 10:00 AM today.”

Even though the person’s name isn’t explicitly mentioned, the reference to a specific treatment could imply health-related information if the recipient knows who "he" is.

Best practices for handling PHI in text messages

Once you can identify PHI, it’s important to ensure that you handle it appropriately to remain compliant with HIPAA regulations. Here are some best practices:

• Avoid sending PHI in text messages: Whenever possible, avoid sending PHI through unsecured communication methods like SMS. Use secure messaging platforms, like Paubox Texting, that are HIPAA compliant and have encryption features to protect sensitive data. A “Black Book survey revealed that 85 percent of hospitals and 83 percent of physician practices are using secure communication platforms between care teams, patients, and families,” says Healthcare IT News. This demonstrates a commitment by healthcare providers to protect the PHI they handle.
• De-identify information: One of the safest ways to send healthcare-related data in text messages is to de-identify it. Example: Instead of saying “John Doe had a blood test at 2:00 PM,” consider using “The patient had a blood test this afternoon.”
• Limit the amount of information: If you must include PHI in a message, share only the minimum necessary information. For example, do not include a full name if initials will suffice, or refrain from mentioning specific procedures unless necessary.
• Obtain consent: Obtain patient consent before sharing any PHI electronically. 

See also: The guide to HIPAA compliant text messaging

FAQs

What is de-identified information?

De-identified information is data that has had all personal identifiers removed so that it cannot be traced back to an individual. When properly de-identified, the information is no longer considered PHI and is not subject to HIPAA regulations. 

What are the consequences of mishandling PHI in text messages?

Mishandling PHI can lead to serious consequences, including legal actions, HIPAA violations, fines, and damage to the organization’s reputation. Healthcare providers may face penalties ranging from thousands to millions of dollars depending on the severity of the breach.