Skip to content
English - United States
Submit a Ticket Go To Customer Portal
  • There are no suggestions because the search field is empty.

Privacy Guidance: Breach Notification Rule and Rendering Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals


DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses HHS guidance covering when PHI has been rendered "unusable, unreadable, or indecipherable to unauthorized individuals." When PHI has been rendered "unusable, unreadable, or indecipherable to unauthorized individuals," the HIPAA Breach Notification Rule does not regard that PHI as "unsecured PHI."

What Does the HIPAA Breach Notification Rule Require?

Per the HIPAA Breach Notification Rule, breaches of unsecured PHI must be reported to affected individuals, to HHS, and, in some instances, to the media.

The HIPAA Breach Notification Rule defines "unsecured protected health information as "protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111–5 (that is, Section 13402(h)(2) of the HITECH Act).
When Has PHI Been Rendered Unusable, Unreadable, or Indecipherable to Unauthorized Individuals?

Section 13402 called for HHS to issue guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals

HHS has issued the guidance. It can be found here

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals (and is therefore "not unsecured") if one or more of the following applies:

1.    Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.  To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.  The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

  • Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
  • Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

2.    The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

  • Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
  • Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI cannot be retrieved.