It's not phone book data, it's hospital directory information: Read and learn:
"HIPAA's Privacy Rule allows inpatient health care facilities to continue to maintain "directories" of current patients, but restricts the information in them to the following: name; location in the facility; "condition described in general terms, that does not communicate specific medical information"; and religious affiliation. Except for religious affiliation, the information may be disclosed to anyone who asks for the individual by name. link to source
I’m more than familiar with HIPAA privacy rules on what can and cannot be collected and shared. I programmed pharmacy software for many years. PHI (protected health information) is considered phone book data - name, address, phone number.
While a hospital can maintain a directory of patients and their locations in the facility, they may not disclose PHI without the patient’s consent and a patient may opt out of being included in the hospital directory or may limit disclosure to specific individuals. If a patient opts out of the directory, the hospital will typically answer that they have no information on the specific patient.