If your Organization has experienced an Incident, please use the chart below to determine if there is unsecured PHI involved. If there is unsecured PHI, continue on and complete the Breach Determination Assessment Form to determine if the Incident is a Breach.
HIPAA Privacy and Security Rule Policy
Determination of a Breach of Unsecured Protected Health Information
Was the PHI unsecured or was it rendered unusable, unreadable or indecipherable to unauthorized individuals under standards established in current HHS guidance? Determine the format of the information and apply the appropriate standards in the corresponding column(s). | |||
Is it a paper, film or other hard copy media? | Is it electronic media? | Is it data at rest? | Is it data in motion? |
Note: Redaction is not an acceptable means of destruction.
| Security Officer should determine if it was cleared, purged or destroyed in a manner assuring the PHI cannot be retrieved from the media - meeting the NIST Guidelines for Media Sanitation for the type of media involved. | Security Officer should determine if it was validly encrypted in accordance with NIST Special Publication 800-111 and the encryption key was not compromised. | Security Officer should determine if it was validly encrypted using a process that complies with the appropriate NIST standard (800-52 Transport Layer Security standard or 800-77 or 800-13 VPN standards). |
Destroyed & not reconstructable: The PHI was secured. This should be documented and no breach occurred. | Meets Sanitation guidelines: The PHI was secured. This should be documented and no breach occurred. | Validly encrypted – key uncompromised: The ePhi was secured. This should be documented and there is no breach. | Validly encrypted or validated: The ePHI was secured. This should be documented and there is no breach. |
No: it was unsecured PHI and the breach assessment must be completed. | No: It was unsecured PHI and the breach assessment must be completed. | No: It was unsecured PHI and the breach assessment must be completed. | No: It was unsecured PHI and the breach assessment must be completed. |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article