A Single Phone Number Cost This Health Plan $6.85 Million

In 2018, Premera Blue Cross agreed to pay $6.85 million to the Office for Civil Rights after a breach exposed the data of 10.4 million individuals. Among the compromised data points? Names, dates of birth, Social Security numbers — and phone numbers. Every single one of those elements qualified as protected health information under HIPAA.

I bring this up because I get asked is phone number PHI at least once a week. Clinic managers, IT directors, even compliance officers second-guess this one. The answer is straightforward, but the context matters enormously.

If you're handling patient phone numbers in any capacity — scheduling calls, text reminders, billing inquiries — you need to understand exactly when a phone number crosses the line into PHI and what that means for your organization.

So, Is Phone Number PHI Under HIPAA?

Yes. A phone number is one of the 18 identifiers listed by HHS that can make health information individually identifiable. When a phone number is connected to a patient's health condition, treatment, or payment for healthcare, it becomes PHI. Full stop.

Here's the exact language that matters: the HIPAA Privacy Rule defines PHI as individually identifiable health information that is created or received by a covered entity and relates to a patient's past, present, or future health condition or payment. Phone numbers appear on that list of identifiers right alongside names, email addresses, and Social Security numbers.

A phone number sitting in your personal contact list with no health context? Not PHI. That same phone number in your EHR, on a patient intake form, or in a billing spreadsheet? Absolutely PHI.

The 18 Identifiers You Need to Know

HHS spells out 18 types of identifiers under the HIPAA Privacy Rule's de-identification standard (45 CFR §164.514). Phone numbers are identifier number four. Here's the full list for reference:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to an individual
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers
  • Full-face photographs
  • Any other unique identifying number or code

If your organization strips all 18 identifiers from a dataset, it's considered de-identified and no longer subject to HIPAA protections. Leave even one — like a phone number — and the entire dataset remains PHI.

The Context Trap: When a Phone Number Becomes Dangerous

Here's where I see organizations get burned. They treat phone numbers as low-risk data. They paste them into unencrypted spreadsheets. They text them between staff on personal devices. They leave voicemails that reference both a phone number and a diagnosis.

In my experience, the phone number itself isn't what triggers the breach — it's the casual attitude toward it. Your front desk staff might not think twice about jotting a patient's callback number on a sticky note next to their appointment reason. But that sticky note is now PHI sitting in plain view.

I've seen covered entities fail audits specifically because phone numbers appeared in unprotected email threads alongside clinical details. OCR doesn't care that "it was just a phone number." If it links back to a patient's health information, it's PHI, and it demands the same safeguards as a diagnosis or lab result.

Text Messages and Patient Phone Numbers

Text-based appointment reminders are everywhere now. And they create real risk. When your practice sends a text to a patient's phone number confirming a cardiology appointment, that message contains PHI — the phone number plus the implied health condition.

If you're using a texting platform, it must meet HIPAA requirements. That means a Business Associate Agreement with the vendor, encryption in transit and at rest, and access controls. Most consumer-grade messaging apps don't meet these standards.

The $1.5 Million Voicemail Problem

In 2019, Touchstone Medical Imaging agreed to pay $3 million to OCR after an investigation that started with patient information being exposed online. But I've also seen smaller practices face corrective action plans over something as simple as voicemail protocols.

Think about this: your staff calls a patient and leaves a voicemail that says, "Hi, this is Dr. Smith's office calling about your lab results. Please call us back at this number." That voicemail just disclosed PHI to whoever has access to that phone. The callback number from your clinic, combined with the reference to lab results, creates a PHI disclosure.

Voicemail policies should be part of every covered entity's HIPAA training. Staff need to know what they can and cannot say when leaving messages — and your organization needs written policies that spell it out.

How to Protect Phone Numbers as PHI

Protecting phone numbers requires the same rigor you apply to any other PHI. Here's what that looks like in practice:

Administrative Safeguards

  • Include phone numbers explicitly in your Notice of Privacy Practices and internal policies.
  • Train every workforce member — not just clinicians — on what qualifies as PHI. Your HIPAA workforce training program should cover all 18 identifiers with real-world examples.
  • Establish clear voicemail and callback protocols.
  • Audit who has access to patient contact information and restrict it to those with a legitimate need.

Technical Safeguards for ePHI

  • Encrypt any electronic system that stores or transmits patient phone numbers — EHRs, scheduling tools, billing software, and communication platforms.
  • Implement access controls so only authorized users can view patient contact records.
  • Use audit logs to track who accesses phone number data and when.
  • Ensure any texting or calling platform has a signed BAA and meets HIPAA security standards.

Physical Safeguards

  • Don't leave printed patient lists, callback sheets, or sign-in logs with phone numbers in public areas.
  • Shred paper records containing phone numbers before disposal.
  • Lock workstations that display patient contact information when unattended.

What About Phone Numbers in De-Identified Data?

If you're working with de-identified datasets — for research, analytics, or reporting — phone numbers must be removed. Under the Safe Harbor method defined by HHS, you cannot include any of the 18 identifiers if you want the data to qualify as de-identified.

I've reviewed datasets from health systems that scrubbed names and dates of birth but left phone numbers intact. That single oversight meant the entire dataset was still PHI, still subject to HIPAA, and still a potential breach if disclosed improperly.

Your Staff Probably Can't Name All 18 Identifiers

Here's the uncomfortable truth: most workforce members at covered entities and business associates can't list all 18 PHI identifiers from memory. They know names and Social Security numbers are PHI. They might remember email addresses. But phone numbers, IP addresses, and device serial numbers? Those fall through the cracks.

This is exactly why annual HIPAA training matters — and why that training needs to go beyond generic slides. Your team needs scenario-based education that makes identifiers like phone numbers feel concrete and real. The HIPAA training catalog at HIPAACertify covers these identifiers with practical examples your staff will actually remember.

What Happens If You Get This Wrong

OCR has made it clear through enforcement actions that mishandling any PHI identifier — including phone numbers — can trigger investigations, corrective action plans, and civil monetary penalties. Penalties range from $141 per violation for unknowing violations up to over $2 million per violation category per year for willful neglect.

Beyond penalties, a breach involving phone numbers can erode patient trust. Patients who discover their phone numbers were exposed alongside health information may file complaints with HHS OCR, triggering the investigation process.

The Bottom Line on Phone Numbers and PHI

Is phone number PHI? Yes — whenever it's linked to health information held by a covered entity or business associate. It's one of 18 identifiers that HHS explicitly names, and it demands the same protections as any other piece of protected health information.

Don't let the simplicity of a 10-digit number fool your team into complacency. Build phone number handling into your policies, your workforce training, and your technical safeguards. Because when OCR comes looking, "we didn't think a phone number counted" has never been an acceptable defense.