Job Aid for Analysis of Security of PHI

Modified on Thu, 18 May, 2023 at 1:51 PM

If your Organization has experienced an Incident, please use the chart below to determine if there is unsecured PHI involved.  If there is unsecured PHI, continue on and complete the Breach Determination Assessment Form to determine if the Incident is a Breach.


HIPAA Privacy and Security Rule Policy

Determination of a Breach of Unsecured Protected Health Information

 

Was the PHI unsecured or was it rendered unusable, unreadable or indecipherable to unauthorized individuals under standards established in current HHS guidance? Determine the format of the information and apply the appropriate standards in the corresponding column(s).

Is it a paper, film or other hard copy media?

Is it electronic media?

Is it data at rest?

Is it data in motion?


Privacy Officer should determine if it was shredded or destroyed in a manner that the PHI could not be read or otherwise reconstructed.

Note: Redaction is not an acceptable means of destruction.

 

Security Officer should determine if it was cleared, purged or destroyed in a manner assuring the PHI cannot be retrieved from the media  - meeting the NIST     Guidelines for Media Sanitation for the type of media involved.

Security Officer should determine if it was validly encrypted in accordance with NIST Special Publication 800-111 and the encryption key was not compromised.

Security Officer should determine if it was validly encrypted using a process that complies with the appropriate NIST standard (800-52 Transport Layer Security standard or   800-77 or 800-13 VPN standards).

Destroyed & not reconstructable: The PHI was secured.  This should be documented and no breach occurred.

Meets Sanitation guidelines: The PHI was secured.  This should be documented and no breach occurred.

Validly encrypted – key uncompromised: The ePhi was secured.  This should be documented and there is no breach.

Validly encrypted or validated: The ePHI was secured.  This should be documented and there is no breach.

No: it was unsecured PHI and the breach assessment must be completed.

No: It was unsecured PHI and the breach assessment must be completed.

No: It was unsecured PHI and the breach assessment must be completed.

No: It was unsecured PHI and the breach assessment must be completed.

 

 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article