PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through HHS-specified technologies such as encryption and destruction.
Unsecured protected health information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technologies or methodologies specified by HHS. In practical terms, PHI is considered "unsecured" if it has not been encrypted using NIST-approved methods (for electronic PHI) or destroyed so that it cannot be reconstructed (for paper or electronic media). The distinction between secured and unsecured PHI is critically important because it determines whether a breach of that information triggers the notification requirements of the Breach Notification Rule.
HHS has specified two methods for rendering PHI secured (and therefore exempt from breach notification). For electronic PHI, the approved method is encryption consistent with NIST Special Publication 800-111 (for data at rest) and NIST Special Publications 800-52, 800-77, or 800-113 (for data in transit). For PHI on paper, film, or other hard copy media, the approved method is destruction such that the PHI cannot be read or reconstructed, such as shredding, burning, pulping, or pulverizing. For electronic media, acceptable destruction includes clearing, purging, or destroying the media consistent with NIST Special Publication 800-88. PHI that has been secured through these methods is essentially immune from breach notification requirements even if it is accessed by unauthorized persons.
The practical impact of unsecured PHI is significant. If unsecured PHI is accessed, used, or disclosed in a manner not permitted by the Privacy Rule, the organization must presume a breach has occurred and follow the full breach notification process, which includes notifying affected individuals within 60 days, reporting to HHS, and potentially notifying media outlets for large breaches. The costs of breach notification, including investigation, remediation, credit monitoring, legal fees, regulatory fines, and reputational damage, can be substantial. This is why encryption and proper destruction are among the most cost-effective security investments an organization can make: by securing PHI, organizations create a safe harbor that eliminates the most damaging consequences of a security incident.