What’s Considered to Be “Unsecured” PHI?

Organizations that handle protected health information (PHI), also referred to as personal health information, have specific requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). One is to report “unsecured” PHI breaches to both the affected patients and the U.S. Department of Health & Human Services. Failure to do so can lead to fines and other consequences. But what exactly counts as PHI, and what does HIPAA mean by “unsecured”?

What Is PHI?

PHI has two main elements to it. It is information that is health-related and identifiable to a specific person. Any information used by a healthcare provider for healthcare services or payment isn’t fully anonymous. Examples of this information could be medical bills, test results, charts, health records, and more.

HIPAA very specifically denotes the types of information that qualify as PHI. Any of the following individual identifiers count as PHI:

• Names
• Dates, other than the year
• Phone or fax numbers
• Addresses
• Email addresses
• Social Security numbers
• Medical records or other unique identifying numbers
• Health plan beneficiary or account numbers
• Certificate or license numbers
• License plate numbers or other vehicle identifiers
• Serial numbers
• URLs or IP addresses
• Identifiable photographs
• Fingerprints or other biometric identifiers

Any document that contains these items is considered PHI and falls under the proper handling and disposal requirements imposed by HIPAA.

Of course, this only applies to organizations covered by HIPAA, like hospitals and other healthcare providers. However, any business associates who receive these documents from those organizations also have reporting requirements for breaches and could face fines for failing to do so.

Unsecured PHI

A PHI breach is only a cause for concern when that information is unsecured. HIPAA has strict guidelines for what unsecured means, stating that it is any PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals.” In practice, this has two implications for most organizations.

Electronic PHI

Electronic PHI has become increasingly prevalent, with many records and other types of information kept electronically. A loss of this data constitutes a breach, but only when it is unsecured.

For HIPAA purposes, data is considered “indecipherable to unauthorized individuals” when it has been encrypted. While they have specific definitions for encryption, this essentially means the same type of encryption many forms of online communication use, where only the intended recipient can decrypt and access the information.

Paper PHI

PHI kept on paper, film, or other types of hard copies need to be destroyed (shredded), which means that they must be “unreadable.” Hard drive disposal also falls under this category. Health providers must physically dispose of hard drives in accordance with NIST standards.

Properly Disposing of Your IT Assets and Documents

SEAM provides a variety of IT asset disposition and shredding services here in North Dakota and South Dakota. Our team implements hard drive shredding procedures per NIST Special Publication 800-88 (Revision 1) standards, which will allow your company to maintain HIPAA compliance, as well as paper shredding and document destruction services. Reach out to SEAM today for professional shredding that strengthens your data security.