sha256 is not made to hash passwords. It is secure for signature purpose for instance (like you will find in certificates for instance) or to verify the integrity of large amount of data (.iso images for instance), but to hash passwords you must definitively prefer to use hash functions created for this specific usage.

  You will find interesting information below another question addressing a similar request: Most secure password hash algorithm(s)?.

In the above mentioned question, you will learn why general purpose hash function like sha256 do not have the right properties to ensure a secure storage for passwords (even when applied a large amount of time on itself), and you will also find a ranking of the most recommended hash functions dedicated for secure passwords handling:

1. scrypt: Which is still quite new yet (published in 2012), but is designed to ensure better security than its predecessor bcrypt,
2. bcrypt: It was designed specifically for password storage and was the recommended choice for a long time,
3. PBKDF2: It's actually designed as a key stretching function, ie. a secure way to derive a cryptographic key from a given password, but its property make it also suitable for password storage.

In your question you mentioned the PHP function password_hash(). This function is not a hash algorithm per se. In fact, this function is used to rely on PHP to select the most trusted password hash algorithm available without having to modify your code.

As indicated in the documentation, as per PHP 5.5.0 bcrypt is selected by default.

sha256 is not designed to hash passwords. To hash passwords, you should prefer to use hash functions created for this usage. You will find all required information below in another question addressing a similar request: Most secure password hash algorithm(s)?.

In the above mentioned question, you will learn why general purpose hash functions like sha256 do not have the right properties to ensure a secure storage of passwords (even when applied a large number of times on itself), and you will also find a ranking of the most-recommended hash functions dedicated for secure passwords handling:

1. scrypt: Which is still quite new (published in 2012), but is designed to ensure better security than its predecessor bcrypt,
2. bcrypt: It was designed specifically for password storage and was the recommended choice for a long time,
3. PBKDF2: It's actually designed as a key stretching function, ie. a secure way to derive a cryptographic key from a given password, but its properties make it also suitable for password storage.

In your question you mentioned the PHP function password_hash(). This function is not a hash algorithm per se. In fact, this function is used to allow PHP to select the most trusted password hash algorithm available without having to modify your code.

As indicated in the documentation, as per PHP 5.5.0, bcrypt is selected by default.