Job Aid for Analysis of Security of PHI

Was the PHI unsecured or was it rendered unusable, unreadable or indecipherable to unauthorized individuals under standards established in current HHS guidance? Determine the format of the information and apply the appropriate standards in the corresponding column(s).

Is it a paper, film or other hard copy media?

Is it electronic media?

Is it data at rest?

Is it data in motion?

Privacy Officer should determine if it was shredded or destroyed in a manner that the PHI could not be read or otherwise reconstructed.

Note: Redaction is not an acceptable means of destruction.

Security Officer should determine if it was cleared, purged or destroyed in a manner assuring the PHI cannot be retrieved from the media  - meeting the NIST     Guidelines for Media Sanitation for the type of media involved.

Security Officer should determine if it was validly encrypted in accordance with NIST Special Publication 800-111 and the encryption key was not compromised.

Security Officer should determine if it was validly encrypted using a process that complies with the appropriate NIST standard (800-52 Transport Layer Security standard or   800-77 or 800-13 VPN standards).

Destroyed & not reconstructable: The PHI was secured.  This should be documented and no breach occurred.

Meets Sanitation guidelines: The PHI was secured.  This should be documented and no breach occurred.

Validly encrypted – key uncompromised: The ePhi was secured.  This should be documented and there is no breach.

Validly encrypted or validated: The ePHI was secured.  This should be documented and there is no breach.

No: it was unsecured PHI and the breach assessment must be completed.

No: It was unsecured PHI and the breach assessment must be completed.

No: It was unsecured PHI and the breach assessment must be completed.

No: It was unsecured PHI and the breach assessment must be completed.