Unsecured PHI Definition (HIPAA): What It Means and Examples

Definition of Unsecured PHI

Under HIPAA, unsecured PHI is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through approved technologies or methodologies. If PHI can be accessed or understood by someone who is not authorized, it is considered “unsecured.”

The HIPAA Security Rule expects you to safeguard electronic PHI with administrative, physical, and technical controls. When those controls fail or are absent—especially when strong encryption or proper destruction is missing—the risk of unauthorized disclosure rises and the PHI is “unsecured.”

What it means in practice

• An unencrypted laptop or smartphone containing PHI is stolen.
• PHI is emailed in plain text or via an unsecured messaging app.
• A cloud storage bucket with PHI is left publicly accessible.
• Paper charts with patient identifiers are tossed in regular trash.
• A USB drive with PHI lacks encryption and is lost.
• PHI is faxed to the wrong recipient and the information can be retained.

Methods to Secure PHI

To avoid having unsecured PHI, build a layered program aligned to the HIPAA Security Rule. Combine policy, technology, and physical protections so PHI remains protected throughout its lifecycle.

Administrative safeguards

• Conduct a risk analysis and manage risks with documented remediation plans.
• Adopt policies for access, minimum necessary use, sanctioning, and incident response.
• Train your workforce and test understanding regularly with role-based scenarios.
• Execute and manage business associate agreements that define security obligations.
• Develop contingency plans, including backups and disaster recovery testing.

Technical safeguards

• Enforce unique user IDs, multi-factor authentication, and automatic logoff.
• Apply encryption for data at rest and in transit; use validated encryption methodologies.
• Enable audit logging, centralized monitoring, and alerting for anomalous access.
• Use data loss prevention, endpoint protection, patching, and mobile device management with remote wipe.
• Segment networks and restrict administrative privileges following least privilege.

Physical safeguards

• Control facility access and secure areas where PHI is stored or viewed.
• Lock workstations, secure printers, and implement clean desk practices.
• Track device and media movement; maintain chain of custody for removals and repairs.

Encryption Standards

Encryption is a primary way to convert unsecured PHI into secured PHI. HHS guidance references NIST standards; for storage, NIST Special Publication 800-111 offers practical direction on protecting data on end‑user devices. Use FIPS 140-2 or FIPS 140-3 validated cryptographic modules to meet recognized expectations.

Data at rest

• Use AES (128/192/256) in a FIPS-validated module for servers, databases, backups, and endpoints.
• Prefer full-disk encryption on laptops and mobile devices, plus pre‑boot authentication.
• Encrypt file systems and databases; for especially sensitive fields, add application-level (field) encryption.
• Protect encryption keys separately from the data with hardened key vaults or HSMs.

Data in transit

• Use TLS 1.2 or 1.3 with strong cipher suites for web, APIs, and email transport.
• Deploy VPNs or mutually authenticated TLS for system-to-system exchanges.
• Validate certificates, enable forward secrecy (e.g., ECDHE), and disable obsolete protocols.

Key management essentials

• Rotate keys, enforce separation of duties, and log all key operations.
• Back up keys securely and implement procedures for emergency key recovery.
• Use role-based access to key material and immediately revoke access on role changes.

Mobile and removable media

• Encrypt smartphones, tablets, and removable drives by default; require device PINs and remote wipe.
• Disable unapproved portable storage and scan allowed devices for malware.

Destruction of PHI

When you no longer need PHI, apply PHI destruction standards that make data irretrievable. Following recognized methodologies ensures the information is not recoverable and therefore not unsecured.

Paper records

• Use cross-cut shredding, pulping, or incineration so documents cannot be reconstructed.
• Place discard materials in locked bins and supervise transport to destruction.
• Document destruction events and verify outcomes.

Electronic media

• Sanitize using methods consistent with NIST media sanitization guidance (e.g., secure erase or cryptographic erase).
• For magnetic media where appropriate, use degaussing; for SSDs and optical media, use approved destruction or shredding.
• Physically destroy failed or retired drives when reuse is not intended; obtain certificates of destruction when using vendors.

Lifecycle governance

• Apply retention schedules, track media custody, and confirm sanitization prior to disposal or reuse.
• Ensure business associates meet the same destruction obligations and provide documentation.

Breach Notification Rule

A breach is an impermissible use or disclosure of unsecured PHI that compromises the security or privacy of the information. Unless you can demonstrate a low probability of compromise after a documented risk assessment, notification is required under the Breach Notification Rule.

Risk assessment factors

• Nature and extent of PHI involved, including identifiers and likelihood of re‑identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., prompt retrieval, satisfactory assurances of non‑retention).

Who to notify and when

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For 500+ affected in a state/jurisdiction, report contemporaneously; for fewer than 500, report within 60 days after the end of the calendar year.
• Media: Notify prominent media if 500+ residents of a state/jurisdiction are affected.
• Business associates: Must notify the covered entity without unreasonable delay, providing information to identify affected individuals.

Notification content

• A description of what happened and the date of breach and discovery.
• The types of PHI involved (e.g., diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence, plus contact methods.

Exceptions to Breach Notification

Certain situations are not considered breaches requiring notification, even though an impermissible use or disclosure occurred. Apply these carefully and document your analysis.

Statutory exceptions

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under your authority, in good faith, within scope, without further impermissible use or disclosure.
• Inadvertent disclosure from one authorized person to another authorized person within the same covered entity, business associate, or organized health care arrangement, with no further impermissible use or disclosure.
• Situations where you have a good‑faith belief that the unauthorized recipient could not reasonably have retained the information (e.g., unopened mail returned, immediate secure deletion).

Safe harbor for secured PHI

If PHI is properly encrypted or destroyed using recognized encryption methodologies and PHI destruction standards, it is not “unsecured” and a subsequent loss or theft generally does not trigger breach notification.

Conclusion

To keep PHI from becoming unsecured, apply layered safeguards, encrypt in transit and at rest using NIST Special Publication 800-111 guidance where relevant, manage keys rigorously, and destroy data irretrievably when no longer needed. If an incident occurs, use the Breach Notification Rule framework to assess risk, act quickly, and communicate transparently.

FAQs

What qualifies PHI as unsecured?

PHI is unsecured when it has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through strong encryption or proper destruction. If someone without authorization can access, understand, or retain the information, it is unsecured.

How does encryption secure PHI?

Encryption mathematically transforms PHI so that only holders of the correct keys can read it. Using FIPS‑validated modules and sound key management makes stolen or intercepted data indecipherable, converting what would be unsecured PHI into secured PHI.

When is breach notification required?

Notification is required when there is an impermissible use or disclosure of unsecured PHI and you cannot demonstrate a low probability of compromise after a documented risk assessment. Timelines include notifying affected individuals without unreasonable delay and within 60 days of discovery.

What are exceptions to breach notification?

Exceptions include certain good‑faith, unintentional, or intra‑organizational disclosures that are not further misused, and incidents where the recipient could not reasonably retain the information. Additionally, properly encrypted or destroyed PHI is not considered unsecured and typically does not require notification.