Return to HIPAA Regulations Index

Definitions: Unsecured Protected Health Information
SECTION 164.402
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information

Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L. 111-5 on the HHS web site.

Section 13402(h)(1)(A) of the Act defines “unsecured protected health information” as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance issued under [§ 13402(h)(2)].” Further, the Act at § 13402(h)(2) requires that the Secretary specify in the guidance the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Accordingly, the interim final rule defines “unsecured protected health information” to mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. We also provide in the regulation that the guidance will be published on the HHS web site.

Section 13402(h)(2) of the Act required that the Secretary initially issue such guidance, after consultation with stakeholders, no later than 60 days after enactment, or April 17, 2009. As discussed above, the Secretary issued the guidance along with a request for information on April 17, 2009, on the HHS web site at http://www.hhs.gov/ocr/privacy/ and the guidance was later published in the Federal Register on April 27, 2009 (74 FR 19006). The Department has reviewed the public comment received in response to the request for information and provides an update to the guidance in Section II of this document. As provided in this interim final rule, this updated guidance is also (and any future updates will be) available on the HHS web site at http://www.hhs.gov/ocr/privacy/.

We note that the definition of “unsecured protected health information” in the Act and this interim final rule incorporates generally the term “protected health information,” as defined at 45 CFR 160.103 of the HIPAA Rules, which includes information in any form or medium. Accordingly, the term “unsecured protected health information” can include information in any form or medium, including electronic, paper, or oral form.